Sie sind auf Seite 1von 69

CLOUD-COMPUTING

IT Opportunity or Business Risk?

Thesis for the Post graduate IT Audit course of the Vrije Universteit Amsterdam Date: 29 April 2010 Version: 1.0

Authors: Team number: University supervisor: Company counsellor: Graduate date:

Sander Nieuwenhuizen (1786385) Jurgen van Alphen (1689452) 1012 Dhr. C.W.P.J. van Hoof RE Dhr. R. Verschuren Dhr. V. Hoefakkers RE 7 June 2010

This page intentionally left blank

Preface
Writing a thesis is one of the last parts of the Postgraduate IT Audit course of the VU University of Amsterdam. This document is the result of our research. Apart from the thesis subject, we also described the goal, result questions, and the most important milestones in this document. Before we present our actual study, we would like to express our thanks to our University supervisor at the Vrije Universiteit, Dhr. C.W.P.J. van Hoof RE for his guidance and counselling. We would also like to thank our families for their support and their patience with us during our study without them we definitely would not have made it.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

This page intentionally left blank

Table of Contents
Preface ......................................................................................................................................... i Table of Contents ....................................................................................................................... ii List of Figures ........................................................................................................................... iv List of Tables ............................................................................................................................. iv Abstract ...................................................................................................................................... v 1 INTRODUCTION .............................................................................................................. 1 1.1 Reason .......................................................................................................................... 1 1.2 Research Questions ...................................................................................................... 2 1.2.1 Sub questions ...................................................................................................... 2 1.3 The structure of our research and thesis ....................................................................... 2 1.4 Scope of the thesis ........................................................................................................ 2 Cloud Computing ............................................................................................................... 3 2.1 What is Cloud Computing? .......................................................................................... 3 2.1.1 History ................................................................................................................ 3 2.1.2 Definition ............................................................................................................ 5 2.1.2.1 Essential Characteristics ..................................................................................... 5 2.1.2.2 Service Models ................................................................................................... 6 2.1.2.3 Deployment Models............................................................................................ 6 2.1.3 Taxonomy of Cloud Computing ......................................................................... 7 2.1.4 Old wine in new bags ....................................................................................... 12 2.1.5 So, whats different then? ................................................................................. 16 2.2 Risks ........................................................................................................................... 18 2.3 The future of Cloud Computing? ............................................................................... 21 2.4 Conclusion.................................................................................................................. 22 Outsourcing ...................................................................................................................... 23 3.1 What is outsourcing? .................................................................................................. 23 3.2 History ........................................................................................................................ 23 3.3 Why outsourcing? ...................................................................................................... 23 3.4 Risks ........................................................................................................................... 24 3.5 Outsourcing versus Cloud Computing ....................................................................... 24 3.6 Conclusion.................................................................................................................. 25

1012 Thesis - Cloud Computing IT Opportunity or Business risk

ii

SAS70............................................................................................................................... 26 4.1 What is SAS70? ......................................................................................................... 26 4.2 The organizations providing services......................................................................... 26 4.3 Type of report ............................................................................................................. 26 4.3.1 Type 1 ............................................................................................................... 26 4.3.2 Type 2 ............................................................................................................... 27 4.4 Timing of an SAS70 report ........................................................................................ 27 4.5 Scope of an SAS70 report .......................................................................................... 27 4.6 Difficulties with SAS 70 Reports ............................................................................... 27 4.7 Differences between a SAS70 report and other reports ............................................. 28 4.8 Usability of a SAS70 report for Cloud services ......................................................... 28 4.9 Conclusion.................................................................................................................. 29 Real life examples ............................................................................................................ 30 5.1 Conclusion.................................................................................................................. 30 IT Audit Aspects .............................................................................................................. 31 6.1 Introduction ................................................................................................................ 31 6.2 The framework ........................................................................................................... 32 6.3 Comparison ................................................................................................................ 33 6.4 Conclusion.................................................................................................................. 34 Conclusion ........................................................................................................................ 35 7.1 Personal reflection ...................................................................................................... 37 7.1.1 Sander ............................................................................................................... 37 7.1.2 Jurgen ................................................................................................................ 37

Reference List .......................................................................................................................... 38 Appendices ............................................................................................................................... 46 Appendix 1: Interviews ............................................................................................................ 47 Global Retailer ..................................................................................................................... 47 Big financial institution ........................................................................................................ 49 Appendix 2: Cloud Computing definitions .............................................................................. 53 Appendix 3: Computer incidents.............................................................................................. 55

iii

1012 Thesis - Cloud Computing IT Opportunity or Business risk

List of Figures
Figure 1 Traditional network diagram with internet as cloud shape .......................................... 3 Figure 2 Evolution of hosting..................................................................................................... 4 Figure 3 Cloud Computing representation of definition ............................................................ 7 Figure 4 Cloud Taxonomy ......................................................................................................... 8 Figure 5 Responsibilities of IaaS ............................................................................................... 9 Figure 6 Responsibilities of PaaS............................................................................................. 10 Figure 7 Responsibilities of SaaS............................................................................................. 11 Figure 8 Basic elements of cloud computing ........................................................................... 12 Figure 9 Traditional security layers are becoming vague with virtualisation .......................... 14 Figure 10 Gartners Hype Cycle .............................................................................................. 15 Figure 11 Example of a Service Oriented Architecture ........................................................... 15 Figure 12 Transition from traditional IT to Cloud Computing ................................................ 16 Figure 13 Cloud management software ................................................................................... 17 Figure 14 Main Concerns according to ENISA Survey ........................................................... 18 Figure 15 Chart of main concerns according to ENISA Survey .............................................. 19 Figure 16 Overview of Internet threats .................................................................................... 20 Figure 17 Example of NOREA framework .............................................................................. 33 Figure 18 Internet Timeline growth of hosts ............................................................................ 56 Figure 19 Internet Timeline growth of Websites ..................................................................... 56

List of Tables
Table 1 Comparison of differences Grid Computing versus Cloud Computing ...................... 13 Table 2 SAS 70 versus Trust Services Reports ........................................................................ 28 Table 3 Cloud Computing characteristics versus NOREA Framework coverage ................... 34 Table 4 Computer incidents ..................................................................................................... 55 Table 5 CERT Internet Incidents ............................................................................................. 57

1012 Thesis - Cloud Computing IT Opportunity or Business risk

iv

This page intentionally left blank

Abstract
This thesis is concerned with the topic of Cloud Computing. It investigates to what extent Cloud Computing can be compared to outsourcing and it what ways this new development may impact the profession of IT auditors. To this end, it discusses the existing literature on Cloud Computing, outsourcing and SAS70. It also includes two interviews with people involved in the practice of Cloud Computing. The results of the present study indicate that outsourcing and Cloud Computing are essentially very similar, the only main difference being that with Cloud Computing, changes are executed by the demanding party via so-called cloud management software on-demand, while with outsourcing, changes are carried out via administrators. With respect to the impact that Cloud Computing might have on the IT auditing world, it can be argued that, given the few differences between Cloud Computing and outsourcing, IT auditing for both forms of subcontracting would also be very similar. It should be noted, however, that this thesis has only focused on processes rather than on technical aspects. These aspects should ideally also be included in order to gain a reasonable degree of assurance. What is needed is a standard that allows IT auditors to assess a given Cloud Computing environment in a correct and consistent manner. Such a standard will also help Cloud Computing providers to gain the trust of (future) customers.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

This page intentionally left blank

1 INTRODUCTION
In this chapter we will discuss the background and scope of our thesis.

1.1 Reason
The first time we heard about Cloud Computing was last year during a lecture about the impact of data centers, during which was pointed out that the trend for 2009 would be Cloud Computing. This drew our attention. We wondered what it was precisely. Which techniques it involved and what it meant in and for audit terms? In chapter 2.1 we will define what Cloud Computing is, followed by the techniques used with Cloud Computing and the audit implications in 4.6 and 5. More and more companies are attempting to use systems or services that are powered by Cloud Computing. These systems and services are to comply with the satisfaction and need to be competitively. The selection of a Cloud provider, the supplying organization is however, not an easy task. What is sometimes overlooked when selecting a supplier (service provider) or the use of the service is to determine whether the control and monitoring have been enforced correctly. The Cloud Computing concept looks like nothing new and looks like having great similarities with Outsourcing. Outsourcing has been the subject of many articles, white papers and best practices which shows us that we have knowledge about and experience with this subject. Also within the NOREA many articles have been written about outsourcing mainly by and for EDP auditors. The NOREA has even published a policy with the title: Normen voor de beheersing van Uitbestede ICT-beheerprocessen [NORE01]. Assurance about the proper working of all relevant processes with an outsourcing contract is usually delivered through a statement of control. This statement is supplied (specially) to the demanding company who is using the service from the outsourcer (supplier). The statement is applicable to the supplying company (cloud provider) itself (e.g. its internal auditors) or the external auditors. Applicable statements are usually one of the following: Statement of Auditing Standards (SAS70); Third Party Announcement (TPA)/ Third Party Mededeling (TPM); ISO/IEC 27001:2005; WebTrust or SysTrust. An applicable statement is made to give assurance about the existence and functioning of processes and procedures (the internal controls of a supplying service organization) which cover the outsourcing service during a defined time. By moving or copying (confidential) data (which can even be privacy-sensitive) to a supplier more risks could arise regarding the confidentiality, integrity and availability of data. Apart from that the risk of losing or leaking of sensitive information is greater when there are not enough controls in place. This applies to Outsourcing as well as Cloud Computing. As Cloud Computing seems to have great similarities with outsourcing, how and to which extent can therefore be trusted on security and the security controls of the service and the service provider and how does this differ compared to the regular controls which are in place with outsourcing?

1012 Thesis - Cloud Computing IT Opportunity or Business risk

1.2 Research Questions


Main research question: How and to what extent is it possible to use a SAS70 statement for outsourcing of IT components in case of Cloud Computing services and which elements and characteristics are key for getting assurance?

1.2.1 Sub questions


1. 2. 3. 4. 5. What is Cloud Computing and what are the latest developments? To what extent does Cloud Computing (as a service) differ from Outsourcing? In what extent is it possible to use existing IT audit Outsource policies? Can Cloud Computing give the same level of assurance as Outsourcing? Which elements and characteristic of the IT audit Outsource policy are key for Cloud Computing?

How can it be determined whether the system of measures, for compensating the client (demander) for specific risks within a Cloud, are sufficient in design, existence and functioning (over time) and meets the standards demanded by the customer? Is it possible to have a supporting statement such as an SAS70 type 2 report or other equal statement made by an independent third party? Finally we will answer the main question from our title page: Cloud-computing, IT opportunity or Business Risk?

1.3 The structure of our research and thesis


Review of literature; Documentation in the form of a thesis.

1.4 Scope of the thesis


We examine the risks of Cloud Computing from the perspective of the demand side. These risks are compared against the risks from the Outsourcing of services (Outsourcing), as outsourcing has been practiced for several years now. Finally we will examine for each unique characteristic of cloud computing whether it meets the standards set for an audit. For the set of standards we will use the NOREA guideline Normen voor de beheersing van Uitbestede ICT-beheerprocessen[NORE01]. We will examine the risks of Cloud Computing primarily from the perspective of the demand side (e.g. customers). This is to exclude the risks that Cloud providers may have for example to their internal organization or the external market, unless it appears that it poses a risk to the client. Furthermore we exclude the techniques used by the cloud provider within his cloud.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

2 Cloud Computing
2.1 What is Cloud Computing?
Cloud Computing was a hot topic in the IT world last year and will continue to be so this year. It is almost impossible to read a magazine, web site, or web log without encountering an article on this topic. In what follows below, we will first briefly discuss the history of the term Cloud (2.1.1) and then discuss the various definitions of Cloud Computing (2.1.2). After that we will take a look at the risks and security concerns (2.2), and finally look into the future of Cloud Computing (2.3).

2.1.1 History
The Cloud shape has originally been used in network drawings. In its original shape, it represents a (part of a) network that is used to send information over, but that is not owned or hired by the respective company. To illustrate what the Cloud shape originally stood for, figure 1 shows a corporate network with two branches and a Head Office on different geographic locations. The local networks in the branches are connected to the Head Office via the Internet. To the company the Internet is a black box because it is unknown how the companys network packages are routed from a Branch Office to the Head Office and vice versa. Even when it is known, the company is not able to influence the path because it has no control over these Internet network devices. Instead of drawing a black box it was a best practice to use a Cloud shape. Thus, until recently the Cloud or Cloud Shape represented a highly complex network of a lot of companies, with a lot of network devices, copper lines, glass fibres and routing protocols which working together makes it possible to establish a network connection between locations all over the world.

Figure 1 Traditional network diagram with internet as cloud shape

Nowadays the term the Cloud or Cloud Computing has a different meaning, yet one which is described by means of numerous definitions. This makes it difficult to establish what Cloud Computing refers to exactly. Entering Cloud Computing on Google results in 32.800.000 hits.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

According to James Staten [STAT01] Cloud Computing is the latest Evolution of hosting.

Figure 2 Evolution of hosting

In 2008 Luis M. Vaquero, Luis Rodero-Merino, Juan Caceres and Maik Lindner [VAQU01] conducted a study in which they found more than twenty different definitions for Cloud Computing. In Appendix 2: Cloud Computing definitions we included the most frequently used Cloud Computing definitions. This is one of the biggest pitfalls for Cloud Computing: everyone has a different view on what Cloud Computing is and moreover, what it should represent to generate more business. 'There is a clear consensus that there is no real consensus on what Cloud Computing is.' [BERG01]. As a result of these differing views, it is not surprising that service providers deliver different products under the same name of Cloud Computing. Some of these products are described below. According to Google, Cloud Computing involves web applications like mail (Gmail) or word processing (Google Apps). The customer buys access to these apps, and as soon as he/she has access they are ready to go. This is also the case for the supplier Salesforce.com, which is offering an (online) CRM application. The only thing a customer needs is a web browser, internet access and an account to Salesforce.com; then he/she can manage customers. When we look at the supplier Amazon, however, it is clear that they define Cloud Computing differently. With Cloud Computing, Amazon offers a complete infrastructure existing of hardware, network, operating system, web server software and database software. On top of this the customer has to install his own content or web application (software). In sum, what Cloud Computing means may differ according to its service provider.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

2.1.2

Definition

With already more than twenty different definitions, it made no sense to make our own. We looked for the most generic definition; one that is supported by several different organisations and that most effectively distinguishes Cloud Computing from other existing IT solutions. NIST (National Institute of Standards and Technology), the organization that provides all kind of standards, has done some research on the different definitions of Cloud Computing and found that there were multiple similarities. These form the basis of their definition of Cloud Computing. Organisations involved in the promoting/advocating of Cloud Computing, like CSA (Cloud Security Alliance) and The Jericho Project, also acknowledge the problem of all the different definitions and commit themselves to the NIST definition [MELL03]. Therefore, in this thesis, we will use the following definition from NIST: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

2.1.2.1

Essential Characteristics

On-demand self-service A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each services provider. Broad network access Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). Resource pooling The providers computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or data center). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. Rapid elasticity Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Measured Service Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service. [MELL03]. 1012 Thesis - Cloud Computing IT Opportunity or Business risk 5

2.1.2.2

Service Models

Cloud Software as a Service (SaaS) The capability provided to the consumer is to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Cloud Platform as a Service (PaaS) The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Cloud Infrastructure as a Service (IaaS) The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). [MELL03].

2.1.2.3

Deployment Models

Private cloud The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. Public cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Hybrid cloud The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). [MELL03]. Note: Cloud software takes full advantage of the cloud paradigm by being service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Visually the definition looks like this:

Figure 3 Cloud Computing representation of definition

[CSA01] In their latest draft of Security Guidance for Critical Areas of Focus in Cloud Computing [CSA01] CSA distinguishes one characteristic, multi-tenancy, as an important element to the NIST definition, where it is not an essential characteristic. At first we felt that multi-tenancy did not have any added value because in a private cloud there is no multi-tenancy. But later on we realized that multi-tenancy is the most striking characteristic of a Clouds infrastructure because as CSA [CSA01] states : Multi-tenancy in cloud service models implies a need for policy-driven enforcement, segmentation, isolation, governance, service levels, and chargeback/billing models for different consumer constituencies.. And this could also apply to a private cloud that is being used by different business units of the same demanding company.

2.1.3 Taxonomy of Cloud Computing


One approach to Cloud Computing is to see it as a black box. But in order to understand the Cloud Computing security risks it is essential to understanding the relationships and dependencies between the three Service Models. In other words, you have to know what happens within the black box. We will use the CSA Cloud Reference Model (see Figure 4 on the next page) to explain the differences between IaaS, PaaS and SaaS.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Presentation Modality APIs

Presentation Platform

Applications

Data

Metadata

Content

Integration & Middleware

Infrastructure as a Service (IaaS)

APIs

Platform as a Service (PaaS)

Core Connectivity & Delivery

Abstraction

Hardware

Facilities

Figure 4 Cloud Taxonomy

[CSA01] The Cloud Reference Model shows us which components or building blocks the three different services (IaaS, PaaS and SaaS) of the service model consist of. As with every model this is not a one on one mapping with the real world. Instead only the needed building blocks are presented. The building blocks are explained below: IaaS: The IaaS service is the foundation on which customers can build to their specific needs. The IaaS service layers are: Facilities This is the data center with floor space, physical security, power, cooling, UPS, computer racks cabling and internet connections et cetera. Hardware This is the metal which includes physical servers, storage and network components. Core Connectivity & Delivery This includes the basics for the network connection such as DNS, IP address management, network transport and security and Identity and Access Management.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Software as a Service (IaaS)

Abstraction Abstraction means that virtualization or physical servers can be used; in this block the hypervisor also known as the virtual machine monitor (VMM), virtual machine images and the utility to define a grid or cluster are defined. The abstraction building block ties the former layers and individual servers together to provide a uniform approach to address the specific configuration. APIs APIs are interfaces to enable the management of the Abstraction, Core Connectivity & Delivery and Hardware layer to the customer.

With IaaS, the consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and may possibly select networking components (e.g. firewalls, load balancers) as showed in Figure 5 Responsibilities of IaaS. This deploy model gives the demanding party the most control over its environment.

Figure 5 Responsibilities of IaaS

1012 Thesis - Cloud Computing IT Opportunity or Business risk

PaaS: The PaaS service is a less configurable service model for a customer as it allows configuring of the applications. The PaaS service layers are: IaaS See the explanation of IaaS aforementioned. Integration and Middleware The Integration and Middleware are a combination of a configured server, database and communication layer with messaging and queuing support. Examples are: Eucalyptus, which uses the Apache Axis2 Web services engine, MuleSource's Mule enterprise service bus, and Rampart security.

The PaaS service offering can be seen as a form of managed hosting. The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, or storage, but the consumer has control over the deployed applications and possibly application hosting environment configurations.
CLOUD Taxonomy
Presentation Modality APIs Presentation Platform

Responsible

Applications
DEMAND

Data

Metadata

Content

Integration & Middleware

APIs

Core Connectivity & Delivery


SUPPLY

Abstraction

Hardware

Facilities

Figure 6 Responsibilities of PaaS

10

1012 Thesis - Cloud Computing IT Opportunity or Business risk

SaaS: The SaaS service is the least configurable service model for a customer as it allows only the configuring of the data and the content within the applications. The SaaS service layers are: PaaS See the explanation of PaaS aforementioned. Data Data is unstructured and is raw. It has no direct meaning without knowing the right content. Metadata Metadata is a means to describe the value and characteristics of the data so it can be structured. Content Along with Metadata, content is used to describe the use and usage of the data. This is used to classify, aggregate and identify the unstructured data. Applications The applications are the pieces of software which can be in native, web or emulated form. APIs APIs are interfaces to enable the management of back-up and the software configurations to the customer. Presentation Modality Presentation Modality is an abstraction to present the outcome of the results to the customer by means of Data, Voice or Video. Presentation Platform The Presentation Platform is the layer which translates all of the above building blocks into the right content to be viewed with a PC, embedded device or mobile phone.

The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
CLOUD Taxonomy
Presentation Modality APIs Presentation Platform

Responsible

Applications

Data

Metadata

Content

Integration & Middleware


SUPPLY

APIs

Core Connectivity & Delivery

Abstraction

Hardware

Facilities

Figure 7 Responsibilities of SaaS

1012 Thesis - Cloud Computing IT Opportunity or Business risk

11

2.1.4 Old wine in new bags


The Figure below illustrates the basic elements of cloud computing where one or more computing services are delivered via the Internet to remote users in a customer organization:

Figure 8 Basic elements of cloud computing

[WOOD01] During our research we learned that the IT world is roughly deviated into two camps. The first camp shares the opinion that Cloud Computing is just another marketing buzzword because virtualization, provisioning and grid computing are not new technologies and are used for many years now. The second camp agrees with the first camp that most of the techniques used in Cloud Computing are existing ones, but feels that the combination of them may lead to an (IT) revolution. What we will do in our thesis is depart from the existing techniques and compare those to the techniques related to Cloud Computing, in order to show that Cloud Computing involves more than just applying existing techniques. Grid computing From Wikipedia: Grid computing (or the use of computational grids) is the combination of computer resources from multiple administrative domains applied to a common task, usually to a scientific, technical or business problem that requires a great number of computer processing cycles or the need to process large amounts of data.. The definition of grid computing shares many similarities with Cloud Computing, yet it also involves several differences. We have summed up the biggest differences hereafter based on the work done by Luis M. Vaquero et al [VAQU01]: Feature Security Architecture Grid Computing Security through credential delegations. Service oriented. Cloud Computing Security through isolation. User chosen architecture.

12

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Feature Platform Awareness

Grid Computing The client software must be Grid-enabled. Hard to manage. Reconfigurability. Limited support, often besteffort only. Hard to manage. Access transparency for the end user. Decentralized control. Nodes and sites scalability. Rigid. Collaboration (Virtual Organizations, fair share of load). Virtualization of data and computing resources.

Usability Self-Management SLA-driven / QoS On-demand self-service / Usability Broad network / User access Rapid elasticity / Centralization degree Resource pooling / Scalability Payment Model Resource Sharing

Cloud Computing The service provider software works on a customized environment. User friendliness. Reconfigurability, self-healing. Limited support, focused on availability and uptime. User friendliness. Access transparency for the end user. Centralized control (until now). Nodes, sites, and hardware scalability. Flexible. Assigned resources are not shared. Virtualization of hardware and software platforms.

Virtualization [VAQU01]

Table 1 Comparison of differences Grid Computing versus Cloud Computing

Virtualization Virtualization is used in a lot of Cloud Computing environments but is not essential. It is a way of decoupling the operating system from the hardware and has existed for several years. The first occurrence of virtualization was at an IBM Mainframe in 1972. VMware started in the 90s to support virtualization on the x86-platform (mainstream server and desktop computers). It is also a way of increasing the efficiency of the hardware. According to Coen Klaver [KLAV01], there are two different methods of virtualization: resource virtualization and platform virtualization. The first (resource virtualization) combines different resources into one logical object. The second (platform virtualization) divides physical objects (such as CPU and Memory) in multiple logical objects. Within the two aforementioned methods there are differences in the way the abstraction is arranged. For platform virtualization the following methods are available: Full virtualization; Paravirtualization; Hardware supported virtualization. These methods differ in the way the guest OS is isolated from the underlying hardware. Dependent on the chosen method of virtualization there are different (inherent) risks, according to Coen Klaver [KLAV01] and Angelo Montero [MONT01]. Cloud Computing is combining resource and platform virtualization into one solution to the mass.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

13

With virtualization, the (logical) boundaries are becoming vague, as can be seen from Figure 9. It does not (directly) demonstrate a weakness, but the dynamic functionality requires that it is controlled effectively and within the right time frame.

Figure 9 Traditional security layers are becoming vague with virtualisation

[HOPP01] Web 2.0 Some people think that Cloud Computing is the same as Web 2.0. However, Web 2.0 are techniques that make it possible to create websites with rich and sophisticated User interfaces which can generate user specific content and makes user interaction possible. So basically Web 2.0 makes it possible to develop dynamic websites. Examples are: Flickr1 Enables people to share their pictures with the rest of the world. You tube2 Enables people to share their videos. Wikipedia3 Enables people to share their knowledge. Enables people to manage their music in a very visual way. Music covery4 Like Cloud Computing there is no single definition for Web 2.0. The techniques used are for instance AJAX, Ruby and web services. Besides a rich and sophisticated User interface, Web 2.0 also enabled web applications to use information from other web applications, leading to the mash-up of applications. When we look at Gartners Hype Cycle [GART01], Figure 10, we see that both Web 2.0 as well as Cloud Computing are defined as technology. So when we look at the 5 key characteristics of Cloud Computing (On-demand self-service, Broad network access, Resource pooling, Rapid elasticity and Measured Service), Web 2.0 is not an enabler for any of these characteristics. The association with Cloud Computing is understandable because the SaaS application may be a Web 2.0 application or the Web 2.0 application is running on a Cloud.

1 2 3 4

http://www.flickr.com http://www.youtube.com http://www.wikipedia.org http://www.musicovery.com

14

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Figure 10 Gartners Hype Cycle

[GART01] Enterprise Service Bus The enterprise service bus is the layer which connects all the systems which need to communicate with each other with their sophisticated (a)synchronous messaging together. It provides a means to communicate via an event-driven and standards-based approach. The Cloud is also using an enterprise service bus so that is nothing new. Service Oriented Architecture SOA is an architectural style and stands for Service Oriented Architecture, whose goal is to achieve loose coupling among interacting software agents. A service is a unit of work done by a service provider to achieve desired end results for a service consumer. Both provider and consumer are roles played by software agents on behalf of their owners. The following figure shows a simple example of a SOA. Web shop De Gouden Berg uses the service check zipcode of Postcodechecker BV to validate that the address and zipcode are matching. In this example De Gouden Berg is the service consumer and Postcode checker BV is the service provider.

Figure 11 Example of a Service Oriented Architecture

1012 Thesis - Cloud Computing IT Opportunity or Business risk

15

Provisioning As described earlier grid computing is used to perform a common task. This task is usually performed for a scientific, technical or business problem that requires a great number of computer processing cycles or the need to process large amounts of data. This makes that most of the grids are used for different jobs. One week it might be running a task for NASA. The day after, it could be running the new public transport plan. As one can imagine a grid may be build up out of a couple of hundred or more computers. For an administrator it is impossible to reconfigure this number of computers manually. And there provisioning comes in. Provisioning tooling enables the company to develop a deployment (model or framework) once and deploys the individual systems many times. It basically makes a deployment repeatable. This means that the grid administrator only has to make one reconfiguration and that that reconfiguration can be used on all the other servers.

2.1.5 So, whats different then?


So far we have spoken about grid computing, provisioning and virtualisation and can conclude that until now there is nothing new. Therefore it is very understandable that a lot of people think that Cloud Computing is nothing new because we have known those techniques for years. The next figure from James Staten [STAT01] shows the paths to cloud computing from the existing techniques.

Figure 12 Transition from traditional IT to Cloud Computing

[STAT01] And yet there is a big difference. This is the ability of Cloud Computing to provide ondemand facilities for its customers by running software that on the one hand provides a web interface where customers can manage their infrastructure in a very user friendly way.

16

1012 Thesis - Cloud Computing IT Opportunity or Business risk

In most cases the infrastructure can be managed via a web interface where the customer can drag and drop new infra devices. On the other hand the software must be able to manage a grid of virtual IT resources (servers, network and storage). In that way, Cloud Computing differs from grid computing, provisioning and virtualisation, where a change has to be deployed by an administrator. The change composed by a customer can, in case of Cloud Computing, be deployed without any intervention of an administrator. The fact that there is no human intervention needed makes it possible to provide on-demand facilities. So basically what makes Cloud Computing different from traditional IT, grid computing and virtualisation, is the ability to provide an interface to its customers to manage their infrastructure. Platform Computing calls this software Cloud Management software [PLAT01] and they describe it as follows: An often-quoted definition of Cloud Computing comes from Charles Brett, a principal analyst at Forrester Research. Brett Says describes Cloud Computing as a pool of abstracted, highly scalable, and managed infrastructure, capable of hosting end-customer applications and billed by consumption. While the definition of what a Cloud delivers is quite clear, what is unclear is what IT needs to do to deploy a cloud. Precisely what products are required in order to build a pool of abstracted, highly scalable and managed infrastructure?

Figure 13 Cloud management software

The hardware components are apparent: servers, storage and networking all of which exist in todays data centers. What does not exist and this is the key to a successful Cloud deployment is the software layer. The software layer creates a shared computing infrastructure from physical and virtual resources in order to deliver Cloud Computing services upon request. This new layer is called cloud management software. [PLAT01]. This Cloud management software is in use by the supplier. Furthermore there is software or an interface to manage the Cloud for the end-users and/or IT-department within the company to interact with the Cloud management software. Certainly the aspect managed is of particular importance to an IT-auditor, as this is crucial to deliver the right resources to the right persons within the demanding organization to fulfil the needed tasks. Or better said, to be in control. A managed infrastructure is furthermore of importance when there is a need for controlled and autonomic provisioning and de-provisioning of computing power. 1012 Thesis - Cloud Computing IT Opportunity or Business risk 17

Therefore the Cloud Management software can be seen as an important aspect to control the availability of individual (virtual) servers and overall system usage. This layer needs the right controls in place (such as proper Identity and Access Management) to guarantee operations are carried out by authorized persons and to guarantee overall system availability.

2.2 Risks
On 10 March 2004 with the adoption of Regulation (EC) No 460/2004 of the European Parliament and of the Council, ENISA (the European Network and Information Security Agency) was founded. After a recruitment period, operations started in September 2005 with the mission to achieve a high and effective level of Network and Information Security within the European Union. In April 2009 ENISA conducted a security risk assessment of Cloud Computing technologies aimed to give advice to (among others) SMEs (Small and Medium Enterprises) on the most important risks in adopting Cloud Computing technologies, as well as ways to address those risks. Part of this security risk assessment was a survey [ENIS03]. In the next figures the results of 74 responses (september 2009) are revealed:

Figure 14 Main Concerns according to ENISA Survey

[ENIS03]

18

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Figure 15 Chart of main concerns according to ENISA Survey

[ENIS03] So based on the results of this survey the main risks are: The confidentiality of corporate data; Integrity of services and/or data; Availability of service and/or data; Privacy. In their Cloud Computing Risk Assessment [ENIS02], ENISA recognises the following risks (not in a particular order): Loss of Governance; Vendor lock-in; Isolation failure; Compliance risks; Management Interface compromise; Data protection; Insecure or incomplete data deletion; Malicious Insider. Two risks that are not mentioned but which we think are important are: The continuity of the Cloud service provider. In the past there has been one incident where from one day to the other a cloud provider stopped servicing due to a buyout5.

http://techcrunch.com/2009/02/18/coghead-grinds-to-a-halt-heads-to-the-deadpool

1012 Thesis - Cloud Computing IT Opportunity or Business risk

19

Understanding of Cloud Computing within the demand organization. Cloud Computing is complex, both from a technical perspective as well as from service offerings, and the demand organization must choose from all that is available the best solution for their specific need. And of course there will still be the inherent risk of using internet because web based threats are becoming increasingly malicious and sophisticated every day. The Computer Security Institute, in close cooperation with the FBI, reports annually about the Computer Crime and Security Survey. Hereafter follow some results for 2008 with percentages of key types of incidents. The risks mentioned pose a threat to the Internet and its connected computers. As mentioned earlier in paragraph 2.1, Cloud Computing is all about connected computers. The insider abuse has grown significantly in 2007, compared to the financial fraud which stayed the same, as can be seen in Figure 16 and Table 4, yet it shows a downturn in virus and spam abuse. Other threats [JONE01] like DNS, Bots and Theft or loss of customer data are growing, comparable with the growth of the Internet as can be seen in Table 5 and Figure 18 and Figure 19 (which are located in Appendix 3: Computer incidents) while Cloud Computing is all about connected computers through and on the Internet.

Figure 16 Overview of Internet threats

[RICH01] As Internet is the most common communication channel, risks such as mentioned above are a threat to the service providers and the customers and thus to the success of Cloud Computing. Besides the above mentioned risks that are inherent to Cloud Computing there are also risks for Cloud Computing itself. Trust Since Cloud Computing is a new development there should be confidence in the service delivery of a Cloud service provider. To provide proof to the customer that a service provider is in control, and thus can be trusted to fulfil the service, it takes more than only expressing that the service provider is in control. But as a teacher recently explained: Today you cant believe that 10 to 20 years ago we as auditors checked for compensating controls to assure that the CPU was working as it should be.

20

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Computations were carried out simultaneous on two different CPUs and the results were compared between the two to guarantee the result. The technology matured over the years and now almost no one is checking the working of the CPU anymore. Right to audit One of the regular parts of an outsourcing contract contains the right to audit. The right to audit is quite common with big outsourcing deals, even if the service provider has already provided some official (independent) statement. This gives the demanding party the ability to have an (independent) review of and at the supplier. Cloud service providers are not that willing to provide every customer the right to audit.6 The right to audit may be a risk for the service because it may lead to an ADoS (Audit Denial of Service), as Craig Balding describes in his article [BALD02]. So at the end of the day it is all about earning trust. And as Cloud Computing is just starting it has to earn that trust. In order to assure that Cloud Computing can be trusted lots of organisations like CSA, Jericho Forum, ENISA but also big vendors like Cisco, IBM, Oracle (SUN) and Microsoft are working on the maturity of Cloud Computing. And when they succeed it is inevitable that Cloud Computing will become the 5th utility besides water, gas, electricity and communication.

2.3 The future of Cloud Computing?


According to ITnews, Gartner predicts that by 2012, 80 percent of Fortune 1000 enterprises will be paying for some Cloud Computing services and 30 percent will be paying for Cloud Computing infrastructure services7. When you look at the investments companies like Microsoft, Google, SUN, Cisco and IBM are making in Cloud Computing, it is obvious that it is inevitable that Cloud Computing is going to stay and that we as IT auditors soon or later are coming across it. And then we better be prepared! The global Cloud Computing market is expected to grow at a compounded annual rate of 28 percent from $47 billion in 2008 to $126 billion by 2012, according to IBM based on various market estimates [IBM01]. Gartner predicts that the market for Cloud products and services will vault from US $46.4 billion in 2008 to US $150.1 billion in 2013 [HAMM01]. Even the US Government has made its first steps into the world of Cloud Computing with the creation of their Federal Cloud Computing Services which is available from: https://apps.gov/cloud/advantage/main/start_page.do, and is frequently being updated with new applications. Besides the financial investments other areas are also evolving, such as the techniques, security, legislation/regulation and standardisation. According to the METRI Group research8, the European Union needs to regulate Cloud Computing to take away some barriers which do exist until today with companies.
http://www.rationalsurvivability.com/blog/?p=877#comment-3649 http://www.itnews.com.au/News/112339,gartner-google-discuss-future-of-cloud-computing.aspx 8 http://www.computable.nl/artikel/ict_topics/infrastructuur/3271445/2379248/kroes-moet-cloud-computingreguleren.html
7 6

1012 Thesis - Cloud Computing IT Opportunity or Business risk

21

Examples of techniques which are likely to come or are available are: NOSQL databases9; Hypervisor-native CPUs10; Network-native Cloud Protocols11. Examples of standards which are likely to come or are available are: Standard for Cloud Computing [ISO01]; Cloud Data Management Interface12; Open Virtualization Format (OVF)13; Cloud Standards14. Cloud service providers are also providing more openness into for example their security measures and controls to gain the trust of the potentially interested parties and are evolving and improving their services.

2.4 Conclusion
Compared to IT of today, the hardware components are apparent for Cloud Computing: servers, storage and networking all of which exist in todays data centers. Besides the hardware components, techniques like grid computing, virtualisation and provisioning are being used. What does not exist and this is the key to a successful Cloud deployment is the Cloud Management Software layer. This software layer creates a shared computing infrastructure from physical and virtual resources in order to deliver Cloud Computing services upon request. Furthermore it reduces deployment time due to the fact that there is no human intervention of the cloud provider needed, enabling the customer to configure his/her IT environment as he/she wishes. And all of this is possible without any IT investments of the demand organization. Developments are focusing on maturing the Cloud via e.g. standardisation in order to increase the match with the requirements of the demanding clients. Lastly, Cloud Computing seems to be the aggressor for creating utility computing opportunities.

http://nosql-database.org http://doubleclix.wordpress.com/2010/01/26/cloud-2-0cloud-tngcloud-reloaded 11 http://doubleclix.wordpress.com/2010/01/26/cloud-2-0cloud-tngcloud-reloaded 12 http://www.automatiseringgids.nl/technologie/software/2010/15/snia-komt-met-standaard-voor-hetverplaatsen-van-data-in-de-cloud.aspx 13 http://en.wikipedia.org/wiki/Open_Virtualization_Format 14 http://cloud-standards.org/wiki/index.php?title=Main_Page


10

22

1012 Thesis - Cloud Computing IT Opportunity or Business risk

3 Outsourcing
3.1 What is outsourcing?
A definition of outsourcing is: Outsourcing is subcontracting a service, such as product design or manufacturing, to a third-party company.15 When we search for it on Google we get about 4,920,000 search items for definition outsourcing. The definition is, however, clearer than the definition of Cloud Computing as it is quite compact. Outsourcing happens quite often nowadays and is being chosen for the following reasons: Achieving a lower production cost; Focusing energy on the core competencies of a particular business; Making better use of available resources; Making more efficient use of labour; Making more efficient use of capital; Making more efficient use of information technology.

3.2 History
Outsourcing of IT started in the 70s, with the IBM Mainframe, but became a trend during the Internet bubble. The term itself was not added to the lexicon until the 1980s16.

3.3 Why outsourcing?


Outsourcing is a division of labour, usually to countries with lower labour costs and a high percentage of educated people. Dependent on the contract an outsourcings arrangement could involve the transfer of the management and/or day-to-day execution of an entire business function to an external service provider. The decision whether to outsource or to do in-house is primarily based on the strategic goals of the demanding organization. It could for example be of strategic use to have your core competences (staff and other resources) available to start a new project instead of supporting an older project or non strategic goal of the organisation. The client organization and the supplier enter into a contractual agreement that defines the transferred services. Under the agreement the supplier could acquire the means of production in the form of a transfer of people, assets and other resources from the client. The client in his case agrees to procure the services from the supplier for the term of the contract. The organizations of today are no longer asking themselves whether they should outsource, but rather how they should outsource their Information technology (hereafter: IT),[NEN01] as IT doesnt matter [CARR01], according to Nicolas G. Carr. IT is among the first services which get outsourced. A large percentage of the demanding companies which choose to outsource their IT can probably be explained by the speed of new IT inventions and their complexity, and thus the costs of keeping IT up-to-date. Therefore the demanding companies came to the conclusion that maintaining their own IT-department is costly.

15 16

http://www.ventureoutsource.com/node/18/print http://en.wikipedia.org/wiki/Outsourcing

1012 Thesis - Cloud Computing IT Opportunity or Business risk

23

3.4 Risks
Outsourcing is a double-edged sword. On the one hand, it is a viable business option which yields economic benefits for the demanding organisations; on the other hand, it can be an avenue for security risks to be introduced into organisations if proper understanding and planning have not been reasonably afforded. Failed projects which can occur for each IT project are also evident in the outsourcing of IT. Therefore outsourcing is not without risks, as is doing business, yet the risks become larger with transferring of data across the companies domain into the domain of the supplier. While companies outsource as much as possible and try to cover many, if not all risks, there remain some residual risks if the following points are not properly covered: Ownership of data; Access approval authority; Disclosure of sensitive information; Security controls at vendor site. Although risks exist in the process of outsourcing, demanding companies are willing to take the risks in favour of accomplishing their business growth strategies. One way to mitigate the risk of outsourcing to an acceptable level is with standardization by explaining relevant standards, providing guidance to involved parties and stimulating a common understanding.17

3.5 Outsourcing versus Cloud Computing


In paragraph 3.1 What is outsourcing?, we defined outsourcing as: Outsourcing is subcontracting a service, such as product design or manufacturing, to a third-party company.18 Cloud Computing (a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction) is meeting this definition because basically what we do is subcontracting the management of (a part of) our IT infrastructure to a third-party company. We endorse the opinion of Kate Craig-Wood [CRAI01] that there are only three striking differences between Cloud Computing and traditional IT infrastructure outsourcing: Shorter contracts: Hours, days or weeks (at most one month) rather than months or years (usually at least 6 months for traditional outsourcing). On-demand: Near-instant scaling / adding of resources. No up-front costs: The Capital Expenditure and installation is absorbed into the rental charges.

17 18

http://en.wikipedia.org/wiki/Outsourcing http://www.ventureoutsource.com/node/18/print

24

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Next question is: Can Cloud Computing give the same level of assurance as Outsourcing? Based on the differences between Outsourcing and Cloud Computing and the fact that Cloud Computing does not use any new techniques we can only come to the conclusion that this depends on the way that the on-demand characteristic has been realised. As described in paragraph 2.1.5, the on-demand characteristic is provided by the Cloud management software. So the level of assurance depends on the quality and the implementation of the Cloud management software. This component falls outside the scope of this thesis, as this is considered IT technology. As such, we are not able to determine whether Cloud Computing can give the same level of assurance as Outsourcing. It is furthermore depending on risk analysis and classification of the information security. We will discuss this further in chapter 6.

3.6 Conclusion
Cloud Computing can be seen as a particularised form of outsourcing with a more flexible cost model through pay-as-you-go and pay-per-use and provides the feature of (near) instant adding or scaling of resources. Cloud Computing reduces deployment time due to the fact that there is minimal human intervention needed to configure the infrastructure in comparison with Outsourcing. Furthermore Cloud Computing does not require any IT investments to the demand organization compared to traditional solutions. Towards the level of assurance we can only say within the scope of this thesis that this is dependent on the quality and implementation of the Cloud management software.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

25

4 SAS70
For outsourcing a common way to gain assurance on the right functioning (as agreed upon) of the outsourcer (supplier) a common method is to gain an independent insight by means of an (independent) statement of control. The most often used statement for this is a SAS70 report. Due to the nature of a SAS70 report and its controls it could also be used to gain assurance on Cloud Computing. In this chapter we will verify whether a SAS70 report is suitable to gain assurance on Cloud services.

4.1 What is SAS70?


The term SAS70, which is an abbreviation of Statement on Auditing Standards No. 70: Service Organizations, is a set of auditing standards, designed in America by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) [AICP01]. While following the auditing standards, an (independent) (service) auditor from the supplier may write a SAS70 report for another auditor, the (user) auditor of the company which is demanding the services. The report is used to give an opinion about the internal controls of a service the supplying organization, within a certain period (see 4.4) and within a defined scope (see 4.5), to deliver an official statement. The statement is set up as an official format for communication between auditors of the supplier and demanding (customer) organization. The supplying organization, i.e. the service organization, is providing/delivering a service to its customer(s) which has to be delivered within the agreed boundaries. To be able to continuously receive the agreed upon level of service, additional assurance about the quality controls needs to be provided. This is the underlying basis for the SAS70 report.

4.2 The organizations providing services


The service organization (supplier), also referred to as the tertiary sector of the economy, is producing a service instead of just an end product. There are many examples of organizations supplying services, as mentioned by Starreveld. For this thesis our primary focus is limited to the following grouping of service organizations, which directly relates to IT (components): Hosting providers; Data centers; Application service providers (ASP); Software developers; Telecommunication companies; Managed Hosting & Storage; And numerous other companies which deliver IT services.

4.3 Type of report


A SAS70 report consists of two parts, type 1 and 2.

4.3.1 Type 1
A type 1 SAS70 report describes the opinion of the service auditor(s) with respect to the design and implementation of the (internal) controls setup and is made available by the service organization of the supplier. The controls must give a representation of the measures in place to achieve the (business) targets. Furthermore the service auditor must assess the suitability of the measures which are in use.

26

1012 Thesis - Cloud Computing IT Opportunity or Business risk

4.3.2 Type 2
A type 2 SAS70 report is a supplement to the type 1 SAS70 report. A type 2 report describes whether the control measures which are written in the type 1 report have (effectively) worked during the period of review.

4.4 Timing of an SAS70 report


A SAS70 report is made to give a representation of the existence and working of the internal control measures within a defined period. This period is by default one year, but can also be for example 6 months. There are no guidelines which demand a specific audit frequency. The frequency is dependent on its usage by the companies which request the report. The report is always about a past period.

4.5 Scope of an SAS70 report


The scope of an SAS70 report which is described in detail indicates the usability of the report. The scope gives further insight in: What is tested (e.g. which controls); How they have been tested (using which methods); How much where they tested (e.g. the frequency).

4.6 Difficulties with SAS 70 Reports


The following difficulties [GOWA01] may explain why the value (the amount of assurance which is gained) of a SAS70 report is varying and dependent on the user organization (demander): The service center auditor (supplier) will only review the controls selected by the service center for review. The controls selected for review by the service organization may not include a control that may be considered critical by the auditor of the user organization. The service auditor will make a single, overall evaluation rather than a control-bycontrol evaluation, while the user auditor has to make risk assessments evaluations assertion by assertion. The scope of the service center auditors testing may not be sufficient for the user auditors purpose. A control considered effective by the service auditor may not be considered effective by the user auditor or vice versa. A control-by-control evaluation would provide the user auditor with better information on which to make risk assessments than would an overall opinion. Although the above mentioned difficulties exist: The reports have been used for more than 10 years. Use of SAS 70 reports has grown since the passage of the Sarbanes-Oxley Act. and With passage of the Sarbanes-Oxley Act, SAS 70 quickly became the global de facto standard for service organizations reporting. Today, it is estimated that more than 1,000 SAS 70 reports are issued globally for a myriad of outsourced services and in multiple languages. [GOWA01].

1012 Thesis - Cloud Computing IT Opportunity or Business risk

27

4.7 Differences between a SAS70 report and other reports


The SAS70 report is as mentioned before in paragraph 4.1 subjected to stringent rules and guidelines. However, other important factors such as which control objectives need to be tested and other differences have been examined by Sailesh Gadia for ISACA19. In the following table the key differences of SAS 70 are placed against the Trust Services Reports (SysTrust or WebTrust) in providing assurance for Cloud Computing. The usability of an SAS 70 or Trust Services Report is depending on the type of application and the processes outsourced. SAS 70 versus Trust Services Reports SAS 70 (Type II )

Trust Services Report (SysTrust or WebTrust) Yes (security, confidentiality, Preestablished No. availability and processing control integrity). objectives Privacy, business continuity and No exclusions as long as it relates to Scope disaster recovery. system reliability. exclusions Provides a report on the Cloud Provides a report on system Nature service providers controls related to reliability, using standard principles financial statement assertions of and criteria. user organizations. Systems that process transactions or Any financial or non financial Types of data for the user organization that system. systems are relevant for user organizations financial statements. No restriction. Distribution Limited distribution report; user organizations and user auditors of report only. User organizations and user auditors Customers, auditors of customers, Audience for only. management and business partners. report No. Yes. Marketing material
Table 2 SAS 70 versus Trust Services Reports

[GOWA01]

4.8 Usability of a SAS70 report for Cloud services


We conclude this chapter by describing how and to what extent it is possible to use a SAS70 statement for outsourcing of IT components in case of Cloud Computing services and which elements and characteristics are key for getting assurance. It is a big plus that a SAS70 report can have specific controls in place which are not covered in other trust services reports or statements. This can, however, be a big risk as well. There are no (strict) sets of controls which need to be tested and therefore a service provider can decide to have a small scope and thus filter out specific controls which could be relevant for the demand organisation.

19 Information Systems Audit and Control Association - Worldwide association of IS professionals dedicated to the audit, control, and security of information systems

28

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Narrowing the scope occurs when there is for example not enough budget to test the full set, or even worse, when the service provider wants to supply a clean report20. This may be done unnoticed as there is less insight in the measures of a service provider. There are no real safeguards that a SAS70 report does contain all controls of importance. Therefore there should be at least a standard set of minimum controls which need to be tested by the Cloud service provider auditor to gain a reasonable amount of assurance and the ability to test additional (specific) controls from the demanding organizations. A standard set of minimum controls (which is not directly related to the financial statement of a demanding company) is covered within ISAE3402, the anticipated successor of SAS70, according to Dennis Houtekamer and Remco de Graaf [HOUT01]. The standard set of controls defined within ISAE3402 has no relationship with Cloud Computing and is generic to suit all kinds of service organizations. Thus a specific set of controls for Cloud Computing would still be needed. Therefore we suggest the minimum set of controls in a Cloud Computing environment for a SAS70 (type 2) statement to be: Statement on the working of the Cloud management layer software; Access control on the APIs within the Cloud management layer software; Inclusion of vulnerability assessments on the management portal software; Data segregation controls; Network segregation controls; Data protection controls; Business continuity controls; Audit and logging controls; Furthermore the following controls such as; Organizational controls, application development and maintenance controls, logical security and access controls, application controls, system maintenance controls and data processing controls. The controls we suggest primarily focus on the additional Cloud management software, as this is the only technical difference with Outsourcing. The list can be supplemented with organizational and traditional controls such as general IT controls and application controls. Organizational controls which include for example human resource management, strategy and vision. Even Gartner has doubts about the usability of SAS70, as can been seen from the following: It remains to be seen whether International Organization for Standardization 27001, SysTrust or perhaps some new, purpose designed certification will prove most useful. Statement on Auditing Standards No. 70 is generally not appropriate for the generic types of services being offered in the Cloud, although it is being used as a form of third-party risk assessment for SaaS offerings, especially those that are more relevant to Sarbanes-Oxley regulated data.[HEIS01].

4.9 Conclusion
SAS70 only describes the way an audit has to be performed but leaves the scope and the objects up to the supplier. So it is possible to have a supporting statement such as an SAS70 type 2 report or other equal statement made by an independent third party. But this all depends on the scope of the objects. And because there is no standard set of objects that are being reviewed the SAS70 statement does not give enough assurance.
20

http://www.lifelinedatacenters.com/data-center-certification/greg-shipley-cloud-computings-risks-and-sas-70

1012 Thesis - Cloud Computing IT Opportunity or Business risk

29

5 Real life examples


In the previous chapters of our thesis we merely investigated the assurance on Cloud Computing from a theoretical point of view. To verify if our assumptions and the global opinion about Cloud Computing exhibits the same sceptics, we have held interviews with companies from the demanding party. The interviews were based on the research questions of this thesis, which can be found in paragraph1.2. The companies we interviewed preferred to stay anonymous. The opinions discussed were also partly based on personal note/title and do not necessarily endorse the same position of the companies we interviewed. The interviews can be found in appendix 1: Interviews.

5.1 Conclusion
We can see a large difference between the retailer and the financial institution. The first one does not care too much about security (controls) and the latter one is much more focused on controlling. This can partly be explained due to the position they fulfil within the Society. A financial institution always has an important role in facilitating the flow of money through the economy and therefore is highly regulated. As we have seen with the financial crisis, the regulators (government and its controlling institutions) do fail and a (financial) system which is overregulated or under regulated is likely to fail. Another reason could be that the retailers only assets are concepts. The fact that these concepts are protected by Intellectual Property rights is a compensating control. Both agree that the risk of unavailability or losing data is important and that it matters where the data physically resides based on other jurisdictions.

30

1012 Thesis - Cloud Computing IT Opportunity or Business risk

6 IT Audit Aspects
For an IT-auditor, it is of importance to have a framework or set of standards which cover the audit aspects for IT. This forms a solid basis for both the customer (demand organisation) and the supplier (service provider). As new technologies emerge, such as Cloud Computing, it is not an easy task to keep up at the same pace with a corresponding framework or set of standards. Therefore much effort is put in keeping a generic view and thus framework, to overcome abnormalities and focus on the mass. Further effort is afterwards needed to tailor the standards to the specific organization that is audited or demands an audit.

6.1 Introduction
The (internal) controls, (compensating) measures, frameworks and standards are developed and updated to minimize risks and give assurance about the functioning of a service, IT component or other object. Every system, albeit a framework, set of standards or best practices, used has its specific usage and attention points and does not always fit the job. A few causes why other standards have failed include: Existing frameworks are too large and detailed and thus become overwhelming; Existing frameworks are too complex; Existing frameworks are written from one point of view only; Organizations already had their own approach; Some organizations put more trust in their own approach. To overcome these problems the Platform voor InformatieBeveiliging(PvIB) and NOREA made an attempt to provide a set of standards with a study report called Normen voor de beheersing van Uitbestede ICT-beheerprocessen or Standards for the control of outsourced IT management processes for assurance on outsourcing of IT-components mainly by and for IT auditors. The study report takes into account the view of the auditor and the demanding and supplying organization. Furthermore it covers the different stages during the lifecycle of an outsourcing process. One of the big advantages, because of its widespread familiarity and usage, is the incorporation of the cyclic process approach from Deming (PDCA) in the study report. Other advantages of the study report are: A clear structure; A descriptive way of what should be achieved, and not how it should be achieved; Its usage for companies of different sizes; Easy to relate to other well-known international standards; A wide support; Its focus on the quality requirements: o Confidentiality, Integrity, Availability and Accountability. The study report should even function in the modern world of today in which companies are organized into: A customer organization that deals with multiple suppliers; A supplier that delivers to multiple client organizations; Several organizations that work together in a chain.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

31

It does, however, focus only on standards for processes related to the general IT controls and does not take into account/consideration specific technical measures and parameters; it must be used in close cooperation with specific standards.

6.2 The framework


There is no framework for Cloud Computing defined which covers every aspect until now. In this chapter we are trying to verify if the study report from the NOREA and PvIB will succeed in encompassing the right fit. The framework consists of the following 14 chapters: 1. Generieke beheersaspecten or Generic control aspects; 2. Service Level Management; 3. Supplier Management; 4. Security Management; 5. Infrastructure Management; 6. Access Management; 7. Capacity Management; 8. Availability Management; 9. Continuity Management; 10. Configuration Management; 11. Change Management; 12. Incident Management; 13. Problem Management; 14. Operations Management. The framework from the study report shares similarities with the following frameworks: Cobit 4.0 (Control Objectives for Information and related Technology, a set of best practices (framework) for information technology (IT) management, provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company); ISO/IEC 27002:2005 (provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems); ISO/IEC 20000-2 (Information Technology Infrastructure Library (ITIL), a set of concepts and practices for managing Information Technology (IT) services, IT development and IT operations). The term similarity resemblance in the study report does not mean that it fully covers the standard; the standards are (closely) related to each other or have some degree of overlap. As mentioned before the framework works with the Deming cycle (Plan-Do-Check-Act) as a conditional aspect for each of the aforementioned processes. The framework is set up with two circles. The outer circle is the PDCA loop which contains the same checks, Policy Planning, Execution, Monitoring and Maintenance, with a constant reporting function. And the inner cycle is focused on the activities within the process itself. An example is included in Figure 17. The standards which are addressed are organized within the four PDCA process steps, have an indication if the standard is critical or not, a specific control objective per process and the document in which it should or could be included. A nice addendum is the incorporation of performance indicators per process.

32

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Figure 17 Example of NOREA framework

[NOREA01]

6.3 Comparison
In the following table (Table 3) we have compared the most important characteristics of Cloud Computing (paragraph 2.1.2) against the assurance which can be gained by the framework from a demand view. Cloud Computing characteristics On-demand selfservice (Resource Democratization) NOREA Framework coverage

The functionality which is needed to turn a traditional environment into an on-demand environment implicitly assumes a technical environment to facilitate this. The technical aspects of Cloud Computing fall outside the scope of this thesis and are, moreover, not covered within the NOREA Framework. We come to this conclusion since the control on the availability and accessibility is made autonomous within the Cloud management software of the supplier. Broad network access Yes, this can be covered with the NOREA Framework standards within Infrastructure Management (numbers 1, 2 and 6) and (Services Oriented Access Management (All standards (1 to 12) are needed / useful). Architecture) No, this cannot be covered with the NOREA Framework as Resource pooling dynamically assigning and reassigning according to consumer (Abstraction of demand is part of an automated process within the Cloud Infrastructure) management software of the supplier. Rapid elasticity No, this cannot be covered with the NOREA Framework as the (Elasticity/Dynamism) control on the provisioning process is (almost) entirely automated within the technical environment of the Cloud management software.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

33

Cloud Computing characteristics Measured Service (Utility Model of Consumption & Allocation)

NOREA Framework coverage Yes, this can partially be covered with the standards from the NOREA Framework as the standards give some coverage for the measuring of the overall system and providing the reports for this. However, the capabilities are part of an automated process within the Cloud management software of the supplier.

Table 3 Cloud Computing characteristics versus NOREA Framework coverage

6.4 Conclusion
We have mentioned in paragraph 3.6 that Cloud Computing is a particularised form of Outsourcing. The NOREA framework is capable of providing assurance for the generic process oriented standards provided within the 14 chapters. However, it must be accompanied with specific controls to mitigate risks which exist within the technical measures and parameters. The framework is focused on the control of the processes in use and does not have measures for the characteristics which make Cloud Computing, namely on-demand self-service, resource pooling and rapid elasticity, which are all primarily based on using specific technical configurations, which are provided by the Cloud management software. For example, change management from a demand view is almost gone as changes (such as requesting a new web server) are no longer separated between different persons but done mostly autonomously. The requestor (client) approves its own request with the commit button and the rest is done automatically within the Cloud management software. The NOREA framework does not provide reasonable assurance against the potential risks involved with Cloud Computing in supporting a controlled environment for the Cloud management software layer. The Cloud management software layer is the other piece of the coin on which assurance is needed to give a reasonable level of assurance on a Cloud Computing solution. Security management can be considered as the most important element and characteristic of the IT audit Outsource policy because it covers the complete spectrum of confidentiality, integrity, availability and accountability and is the basis to build upon a controlled secured environment. An insight into the need for a rapidly deployed and scalable infrastructure is needed to be able to serve up peak traffic [BABC01], such as occurred after the tragic death of Michael Jackson on June 25 2009. Sony Music Entertainments infrastructure could not deliver the enormous bandwidth which was needed when people were massively searching for information about their idol. Sony Music Entertainment had the capacity to process transactions and record comments from 200 shoppers at a time, well beyond expected traffic levels. The traffic spike which occurred, however, must have looked liked a distributed denial of service. Therefore we conclude that it is possible to use the IT audit Outsource policies because standards from the NOREA framework can be used to provide assurance on the different IT management processes. The framework has to be supplemented to cover standards for the control on the Cloud management software.

34

1012 Thesis - Cloud Computing IT Opportunity or Business risk

7 Conclusion
During our research we discovered that Cloud Computing is a marketing hype which is primarily based on existing techniques (Old wine in new bags), but does offer new potential and a new economy. Furthermore it looks as if Cloud Computing is becoming the aggressor of providing computing power as a utility. Because Cloud Computing is a combination of existing techniques it has inherited the risks of the underlying techniques as well as created some new risks or increased the impact of the risk. These risks are largely technical (security) risks, which we did not research as we focused on the demand side only. We also looked into Outsourcing and came to the conclusion that Cloud Computing is very similar to Outsourcing with only three striking differences: Shorter contracts: Hours, days or weeks (at most one month) rather than months or years (usually at least 6 months for traditional outsourcing). On-demand: Near-instant scaling / adding of resources. No up-front costs: The Capital expenditure and installation is absorbed into the rental charges. Although Cloud Computing is very similar to Outsourcing we were not able to determine whether it could give the same assurance, because of the Cloud management software, which is not known to the demand organization. This falls outside the scope of this thesis but it may be a good subject for another thesis. Our research of the NOREA Framework for Outsourcing revealed that it can provide enough assurance for Cloud Computing services because the framework concentrates on the General IT management processes and scoped all technical controls out. The key characteristic for Cloud Computing is the on-demand feature which is delivered by the Cloud Management Software. This results in the following key Elements and characteristics of the NOREA Framework for Outsourcing for the Cloud Management Software: An updated, by management approved documented risk analysis which contains the agreed policies, service levels and management objectives; An up to date documented security design available which covers the IT services, including the uncovered (residual) risks which have been signed by management; ICT services are periodically reviewed for vulnerabilities; Use / access and attempts of unauthorized use / access of ICT resources are registered; Records of usage / access and attempts of unauthorized use / access of ICT resources are regularly examined for evidence of unauthorized use and if necessary corrective actions are initiated. These key items have been derived from security- and infrastructure management. We also examined whether a SAS70 (type 2) statement could provide enough assurance for Cloud Computing services, but it turned out that the assurance is very dependent on the selected set of controls and the control environment. The problem with SAS70 is that a standard set of controls (for Cloud Computing) is not defined and thus provides the freedom to be defined by the Cloud (service) provider. Therefore we suggest the minimum set of controls in a Cloud Computing environment for a SAS70 (type 2) statement to be: Statement on the working of the Cloud management layer software;

1012 Thesis - Cloud Computing IT Opportunity or Business risk

35

Access control on the APIs within the Cloud management layer software; Vulnerability assessment of the management portal software; Data segregation controls; Network segregation controls; Data protection controls; Business continuity controls; Audit and logging controls; Furthermore the following controls such as; Organizational controls, application development and maintenance controls, logical security and access controls, application controls, system maintenance controls and data processing controls.

The fact that the International Standardization Organisation (ISO) [ISO01] announced that they are preparing a Cloud Computing standard indicates that the standards used today are not sufficient. This could be an interesting lead for further research concerning the standardisation of Cloud Computing and the frameworks to provide assurance. From a demand perspective it is unknown whether the risks of Cloud Computing can be mitigated without a specific set of standards defined for the Cloud service and without the right to audit. It is thus of importance to have the right to audit to test whether the system of measures implemented at the Cloud service provider is sufficient and meets the requested level of assurance. If the right to audit is not implemented there is a need for a set of standards which have been tested by a trusted third party such as an independent auditor. A defined set of standards are needed to give guidance to the demand side, the cloud service provider and the independent auditors to gain sufficient assurance regarding the functioning of the control system (the system of measures) from design, existence and functioning. So at the end of the day Cloud Computing is an IT opportunity and a Business Risk!

36

1012 Thesis - Cloud Computing IT Opportunity or Business risk

7.1 Personal reflection


7.1.1 Sander
As I have read more and more about Cloud Computing I came to the conclusion that the current controls are not sufficient in giving enough assurance. This can be explained by the constant layering or rings (much like an onion) which are placed into or on top of each other. There is nothing wrong with a layered defence, but we must not forget that it is more window dressing or hiding of the real problem. In my opinion there remain risks when doing business and although people are honest by nature, there will always be some bad examples for which we make rules, regulations and controls. Furthermore technology cannot be used to stop human error (intentionally or not). However when taking into account some of the new initiatives, I foresee a new commodity in Information Technology and a major shift upcoming in comparison to the way we treat computers and information. We are at the beginning of a new era and had better be prepared for what is coming!

7.1.2 Jurgen
Like Sander the more I read about Cloud Computing the more I became convinced that the current frameworks are not sufficient for both parties (demander and supplier). In this thesis we only looked at Cloud Computing from a demand perspective but I just read an article of Craig Balding (www.cloudsecurity.org) in which he describes a new denial of service technique, i.e. ADoS (Audit Denial of Service). What strikes me the most in this article is his example that the cloud provider must meet the companies Bluetooth security policy. So I think that Cloud Computing is going to be a big thing in the future. It certainly has the potential to become the 5th element but then we (audit/demander/supplier) have to work together. And it is good to see that organisations like ISACA, INESA, CSA, IEEE have joined together to held the SecureCloud2010 event last March in Barcelona. ISO and ENISA share the opinion that the current frameworks are inadequate. ISO announced the development of a new standard specific for Cloud Computing [ISO01] and ENISA states in her Cloud Computing Information Assurance Framework that The detailed framework scheduled for release in 2010 is intended to include additional standards such as NIST SP 800-53. [ENIS01]. And the news that ISO is going to develop a new standard is a signal that Cloud Computing is definitely on its way. And whether it is something old or new we better be prepared!

1012 Thesis - Cloud Computing IT Opportunity or Business risk

37

Reference List
[3TER01] [3TER02] [AICP01] [AMAZ01] [ARVA01] 3tera, AppLogic - Cloud Computing Infrastructure Platform, 3tera, October 2008 3tera, AppLogic - Utility Computing Services for SaaS and Web 2.0, 3tera, September 2006 AICPA, Service Organizations, AICPA, (http://www.aicpa.org/download/members/div/auditstd/AU-00324.PDF) Amazon, Amazon Web Services Overview of Security Processes, Amazon, June 2009, (http://aws.amazon.com/) Arvanitis, Nicholas, Slaviero, Marco, and Meer, Haroon, Clobbering the Cloud, SensePost, 2009, (http://www.defcon.org/images/defcon-17/dc-17presentations/defcon-17-sensepost-clobbering_the_cloud.pdf) Babcock, Charles, Cloud Computing Will Force The IT Organization To Change, Informationweek, 2009, (http://analytics.informationweek.com/abstract/6/1694/Data-Center/cloudcomputing-will-force-the-it-organization-to-change.html) Bakker, Jasper, IBM: clouds Amazon en Google zijn mistig, webwereld.nl, Februari 2010, (http://webwereld.nl/nieuws/65194/ibm--clouds-amazon-engoogle-zijn-mistig.html) Balding, Craig, The Belgian Beer Lovers Guide to Cloud Security, September 2009, (http://www.cloudsecurity.org) Balding, Craig, Stop the Madness! Cloud Onboarding Audits - An Open Question, June 2009, (http://cloudsecurity.org/blog/2009/06/16/stop-themadness-cloud-onboarding-audits-an-open-question.html) Berger, Irving Wladawsky, Cloud Computing Promise & Reality, July 2008, (http://alwayson.goingon.com/permalink/post/28058) van den Berge, Edie and ten Seldam, Matthijs, Informatiebeveiliging in een virtuele wereld, PvIB, IB 2008/7 Bessoudo, Jacques, Using SUN Systems to build a virtual and dynamic infrastructure, SUN, December 2008, (http://wikis.sun.com/display/BluePrints/Using+Sun+Systems+to+Build+a+Vi rtual+and+Dynamic+Infrastructure) box.net, Box_Overview_2-4, BOX, 2009 box.net, Security_Overview_2-1, BOX, 2008 Brunette, Glenn, Cloud Computing Security Overview, SUN, 2009, (http://www.sun.com/cloud) 1012 Thesis - Cloud Computing IT Opportunity or Business risk

[BABC01]

[BAKK01]

[BALD01] [BALD02]

[BERG01] [BERG02] [BESS01]

[BOX01] [BOX02] [BRUN01]

38

[BSI01] [BSI02] [BUYY01]

British Standards Institution, BS ISO-IEC 27001, British Standards Institution, October 2005 British Standards Institution, BS ISO-IEC 27002, British Standards Institution, June 2005 Buyya, Rajkumar, Yeo, Chee Shin, Venugopal, Srikumar, Broberg, James, and Brandic, Ivona, Cloud computing and emerging IT platforms:Vision, hype and reality for delivering computing as the 5th utility, Elsevier, Future Generation Computer Systems 2009/25 Carolan, Jason and Gaede, Steve, Introduction to Cloud Computing Architecture, SUN, June 2009, (http://www.sun.com/featuredarticles/CloudComputing.pdf) Carr, Nicholas G., IT Doesn't Matter, Harverd Business Review, May 2003, (http://www.roughtype.com/archives/2007/01/it_doesnt_matte.php) Chappell, David, A short introduction to cloud platforms - An enterpriseoriented view, August 2008, (http://www.davidchappell.com/CloudPlatforms-Chappell.pdf) Chung, Mike W. S., Informatiebeveiliging versus SaaS, KPMG, 2008, (http://www.compact.nl/artikelen/C-2008-4-Chung.htm) Chung, Mike W. S., Informatiebeveiliging versus SaaS, Norea, EDP-auditor 2009/2, (http://www.norea.nl/readfile.aspx?ContentID=52610&ObjectID=502407&Ty pe=1&File=0000026216_Informatiebeveiliging.pdf) Craig-Wood, Kate, The differences between IT outsourcing and Cloud Computing, September 2009, (http://www.katescomment.com/difference-itoutsourcing-cloud-computing/) Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, CSA, December 2009, (http://www.cloudsecurityalliance.org/csaguide.pdf) Curran, Richard, Cloud Computing - Passing FAD or E-Business revolution, Intel, 2009, (http://www.connectworld.com/articles/recent_article.php?oid=EMEA_2009_04) Rodriguez, Jeremy and Hay, Graeme, Cloud Computing Track Results, Data Center Pulse, February 2009 Molenaar, Teus, Complexiteit cloud wordt onderschat, DatacenterWorks, May 2009, (http://www.datacenterworks.nl/uploads/dcw%20mei%202009.pdf)

[CARO01]

[CARR01] [CHAP01]

[CHUN01] [CHUN02]

[CRAI01]

[CSA01]

[CURR01]

[DCP01] [DCW01]

1012 Thesis - Cloud Computing IT Opportunity or Business risk

39

[ENIS01]

European Network and information Security Agency, Cloud Computing Information Assurance Framework, ENISA, November 2009, (http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/cy-activityInterface2010/Presentations/Outlook/Cloud_Computing_Information_Assurance_Fram ework.pdf) ENISA, Cloud Computing Risk Assessment, November 2009, (http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment/at_download/fullReport) ENISA, Survey - An SME perspective on Cloud Computing, November 2009, (http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-smesurvey/at_download/fullReport) Everest Research Institute, Everest ITO Study: Cloud Computing Can Benefit Traditional Enterprise Setups, Offers Little Gain for Virtualized Centers, ERI, March 2010, (http://eon.businesswire.com/portal/site/eon/permalink/?ndmViewId=news_vie w&newsId=20100309006510&newsLang=en) Everett, Catherine, Cloud computing - A question of trust, Computer Fraud & Security June 2009 Ernst & Young, Cloud Computing - VTO Thought leadership1, Ernst & Young, April 2009 Ernst & Young, IT trends - Cost reduction through virtualization and cloud computing, Ernst & Young, January 2009 Finch, Lindsey, Horvath, Jane, Kothari, Sachin, and Pearson, Harriet, Cloud Computing & Privacy, IAPP, March 2009 Gadia, Sailesh, Cloud Computing: An Auditor's Perspective, Isaca, Isaca Journal 2009/6, (http://www.isaca.org/Template.cfm?Section=KNET3&Template=/gir/memOnly.cfm&itemID=9145) van, Gansewinkel Rob and de Vries, Jan Willem, Servervirtualisatie Beveiliging as usual, PvIB, IB 2008/7 GARTNER, Gartner's 2009 Hype Cycle Special Report Evaluates Maturity of 1,650 Technologies, Gartner, August 2009, (http://www.gartner.com/it/page.jsp?id=1124212) Gowans Miller, Anna D., SAS 70 Reports: Are They Useful and Can They Be Improved?, AGA, July 2008, (http://www.agacgfm.org/research/downloads/CPAG15.pdf) Hackett, Sean, Managed Services: An Industry Built on Trust, IDC, February 2008, (http://www.centuric.com/LinkClick.aspx?fileticket=LG87mdNsMyM%3D&t abid=59) 1012 Thesis - Cloud Computing IT Opportunity or Business risk

[ENIS02]

[ENIS03]

[ERI01]

[EVER01] [EY01] [EY02] [FINC01] [GADI01]

[GANS01] [GART01]

[GOWA01]

[HACK01]

40

[HAMM01]

Hamm, Steve, Cloud Computing's Big Bang for Business, Businessweek, June 2009, (http://www.thefreelibrary.com/+CLOUD+COMPUTING%27S+BIG+BANG +FOR+BUSINESS-a01611897042) Heiser, Jay and Nicolett, Mark, Assessing the Security Risks of Cloud Computing, Gartner, June 2008, (http://www.gartner.com/DisplayDocument?id=685308) van der, Hoeven Rob, De opkomst van virtualisatie verandert informatiebeveiliging, PvIB, IB 2008/7 Hoff, Chris, Dear Mr_ Schneier, If Cloud Is Nothing New, Why Are You Talking So Much About It, June 2009, (http://www.rationalsurvivability.com/blog/?p=952) hoppe, norman, Risk Evaluation of Virtualisation and Cloud Computing, ING, September 2009 Houtekamer, Dennis and de, Graaf Remco, ISAE 3402: einde van SAS 70 in zicht?, Norea, EDP-auditor 2009/1 Parks, Randall S., Harvey, James A., and Esch, Roxanne, Cloud Computing: What to Ask When the Clouds Roll In, Hunton & Williams, June 2008, (http://www.hunton.com/files/tbl_s47Details%5CFileUpload265%5C2247%5 CCloud_Computing.pdf) IBM, Panasonic Ushers in the Cloud Computing Era with IBM LotusLive, IBM, January 2010, (http://www03.ibm.com/press/us/en/pressrelease/29189.wss) IBM, Security: IBM System z partitioning achieves highest certification, IBM, September 2006, (http://www03.ibm.com/systems/z/advantages/security/certification.html) ISACA, Cloud Computing: Business Benefits With Security, Govenance and Assurance Perspectives, Isaca, October 2009 ISO, Automatisering Gids, Richard Keijze,16 april 2010 (http://www.automatiseringgids.nl/it-in-bedrijf/beheer/2010/15/iso-wil-cloudstandaardiseren.aspx) Jackson Higgins, Kelly, Cloud Computing Will Cause Internet Security Meltdown, (http://www.darkreading.com/securityservices/security/attacks/showArticle.jht ml?articleID=218102139) Jackson Higgins, Kelly, Report: No Magic Bullet For Database Server Security, (http://www.darkreading.com/database_security/security/encryption/showArtic le.jhtml?articleID=217800855)

[HEIS01]

[HOEV01] [HOFF01]

[HOPP01] [HOUT01] [HUNT01]

[IBM01]

[IBM02]

[ISAC01] [ISO01]

[JACK01]

[JACK02]

1012 Thesis - Cloud Computing IT Opportunity or Business risk

41

[JERI01]

Jericho Forum, Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration, Jericho Forum, April 2009, (http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf) Jericho Forum, Jericho Forum and Cloud Security Alliance join forces to address Cloud Computing Security, Jericho Forum, May 2009, (http://www.cloudsecurityalliance.org/pr20090527.html ) Joint, Andrew, Baker, Edwin, and Eccles, Edward, Hey, you, get off of that cloud?, Elsevier, Computer Law & Security Review 2009/25, (http://www.mendeley.com/research/hey-cloud/) Jones, Andy and Ashenden, Debi, Risk management for computer security: Protecting your network and Information assets, Elsevier Butterworth, 2005 Jones, Tim, Cloud computing with Linux, IBM, February 2009, (http://www.ibm.com/developerworks/linux/library/l-cloud-computing/) Klaver, Coen, Virtualization - Challenges that virtualization bring to traditional IT security controls, (http://www.vurore.nl/templates/downloads/824_traditional_IT_security_contr ols_Klaver_.pdf) O'Leary, John G., Information Security in a Flat World, 2008 Lofstrand, Mikael, The VeriScale Architecture: Elasticity and Efficiency for Private Clouds, SUN, September 2009, (http://wikis.sun.com/display/BluePrints/The+VeriScale+Architecture++Elasticity+and+Efficiency+for+Private+Clouds) van de, Looy Hans, Gebruik virtualisatie bij penetratietesten, PvIB, IB 2008/7, (http://www.b-able.nl/doc/Artikel_sec_virt_112008.pdf) Mather, Tim, Kumaraswamy, Subra, and Latif, Shahed, Cloud Security and Privacy, O'Reilly, September 2009 Mell, Peter and Grance, Tim, Effectively and Securely Using the Cloud Computing Paradigm, NIST, June 2009, (http://csrc.nist.gov/groups/SNS/cloud-computing/index.html) Mell, Peter and Grance, Tim, Perspectives on Cloud Computing and Standards, NIST, 2009, (http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/200812/cloud-computing-standards_ISPAB-Dec2008_P-Mell.pdf) Mell, Peter and Grance, Tim, The NIST Definition of Cloud Computing, NIST, August 2009, (http://csrc.nist.gov/groups/SNS/cloud-computing/clouddef-v15.doc) Microsoft, Securing Microsoft's Cloud Infrastructure, Microsoft, May 2009, (http://www.globalfoundationservices.com/security/documents/SecuringtheMS CloudMay09.pdf)

[JERI02]

[JOIN01]

[JONE01] [JONE02] [KLAV01]

[LEAR01] [LOFS01]

[LOOY01] [MATH01] [MELL01]

[MELL02]

[MELL03]

[MICR01]

42

1012 Thesis - Cloud Computing IT Opportunity or Business risk

[MILL01] [MLL01]

Miller, Charlie, Routh, Jim, and Brown, Scott, Practical Aspects of Effective Management of Outsourcing Arrangements, IAPP, March 2009 Mller, Ulrich, Optimizing the Desktop using SUN xVM Virtualbox, SUN, January 2008, (http://wikis.sun.com/display/BluePrints/Optimizing+the+Desktop+Using+Sun +xVM+VirtualBox) Montero, Angelo, VIRTUALISATIE: alleen maar voordelen (deel 1), PvIB, EDP-auditor 2009/1, (http://www.norea.nl/Sites/Files/0000025533_Virtualisatie.pdf) Montero, Angelo, VIRTUALISATIE: alleen maar voordelen (deel 2), PvIB, EDP-auditor 2009/1, (http://www.norea.nl/Sites/Files/0000026215_Virtualisatie.pdf) NEN, Final report SA/CEN/ENTR/371/2006-27 project 2006/27.9 ITOutsourcing, 2006, (http://www.cen.eu/cen/Services/Business/Value/Documents/Project9ITOutso urcingMarch2009.pdf) Norea, PvIB, Studierapport Normen voor de beheersing van uitbestede ICTbeheerprocessen, Norea, PvIB, December 2007, (http://www.norea.nl/readfile.aspx?ContentID=36811&ObjectID=345039&Ty pe=1&File=0000021661_NoreaPvIBhandreiking.pdf) Omtzigt, Theodore, Cloud Computing - Predominantly an IT Operation Outsourcing Trend, Eclipse, August 2008, (http://eclipse.syscon.com/node/646521) Platform, Computing, Enterprise Cloud Computing - Transforming IT, Platform Computing, July 2009, (http://www.platform.com/eforums/eforum.asp?1-1IAQV5) Platform, Computing, IT Mordernization - From Grid to Cloud in Financial Services, Platform Computing, 2009 Ports Dan, R. K. and Garfinkel, Tal, Towards Application Security on Untrusted Operating Systems, July 2008, (http://www.stanford.edu/~talg/papers/HOTSEC08/towards-trustedhotsec08.pdf) Post, Sjon, Cloud & Security - De keerzijde van cloudcomputing, Infosecurity, Infosecurity 2009/4, (www.infosecurity.net) Privacy Rights Clearinghouse, Chronology of Data Breaches, PRC, 2010, (http://www.privacyrights.org/ar/ChronDataBreaches.htm) Perdeck, Michiel and Mulder, Jacob, Grids, Clouds and SaaS - and what about security, PvIB, November 2008

[MONT01]

[MONT02]

[NEN01]

[NORE01]

[OMTZ01]

[PLAT01]

[PLAT02] [PORT01]

[POST01] [PRC01] [PVIB01]

1012 Thesis - Cloud Computing IT Opportunity or Business risk

43

[RAVA01]

Raval, Vasant, Risk Landscape of Cloud Computing, Isaca, Isaca Journal 2010/1, (http://www.isaca.org/TemplateRedirect.cfm?template=/ContentManagement/ ContentDisplay.cfm&ContentID=55346 ) Reese, George, Cloud Application Architectures, O'Reilly, April 2009 Richardson, Robert, CSI Computer Crime & Security Survey, 2008, (http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf) Roehrig, Paul, IT_Services_Outsourcing, Forrester, October 2008 Ross, Steven J., Cloudy Daze, Isaca, Isaca Journal 2010/1, (http://www.isaca.org/TemplateRedirect.cfm?template=/ContentManagement/ ContentDisplay.cfm&ContentID=55338) Sherwood, John, Clark, Andrew, and Lynas, David, SABSA - Enterprise Security Architecture, SABSA, 2009, (http://www.sabsa.org/whitepaperrequest.aspx?pub=Enterprise+Security+Arch itecture) Sherwood, John, Clark, Andrew, and Lynas, David, SABSA Limited Enterprise Security Architecture, SABSA, 2009, (http://www.sabsa.org/) Sabsa.org, What is Sabsa, SABSA, 2009 Schneier, Bruce, Cloud computing is overhyped, (http://www.schneier.com/blog/archives/2009/06/cloud_computing.html) Schneier, Bruce, Be careful when you come to put your trust in the clouds, (http://www.guardian.co.uk/technology/2009/jun/04/bruce-schneier-cloudcomputing) Souren, Jos, De Virtuale desktop - Veilig inzetbaar of openen we de volgende 'backdoor'?, PvIB, IB 2008/7 Stamos, Alex, Cloud Computing Security - Fuzzy Computers Lead to Fuzzy Protections, Isec partners, February 2009, (https://www.owasp.org/images/5/58/Cloud_Computing_Security.pdf) Stan, Alina, Secure communications - End-to-end encryption in Jericho networks, June 2007, (http://www.few.vu.nl/en/Images/stageverslagstan_tcm39-90706.pdf) Staten, James, Is Cloud Computing Ready for the Enterprise, Forrester, March 2008, (http://www.forrester.com/rb/Research/is_cloud_computing_ready_for_enterpr ise/q/id/44229/t/2) Subramaniam, Gan, HelpSource, Isaca, Isaca Journal 2009/6

[REES01] [RICH01] [ROEH01] [ROSS01]

[SABS01]

[SABS02] [SABS03] [SCHN01] [SCHN02]

[SOUR01] [STAM01]

[STAN01]

[STAT01]

[SUBR01]

44

1012 Thesis - Cloud Computing IT Opportunity or Business risk

[SUN01]

SUN, Open Source and Cloud Computing - On-Demand Innovatieve IT on a massive scale, SUN, March 2009, (http://ae.sun.com/offers/show.jsp?taco=371) SUN, Take your business to a higher level, SUN, (http://www.sun.com/offers/details/cloud_computing_primer.html) SUN, Optimizing Applications for Cloud Computing Environments, SUN, November 2009, (https://www.sun.com/offers/details/cloud_refactoring.xml) Tay, Liz, Gartner, Google discuss future of cloud computing, IT news, May 2008, (http://www.itnews.com.au/News/112339,gartner-google-discuss-futureof-cloud-computing.aspx) tcnikc, Downtime At Rackspace Cloud, TechCrunch, 2009, (http://techcrunch.com/2009/11/02/large-scale-downtime-at-rackspace-cloud/) Townley, Andrew S., Getting Your Head in the Cloud, Archistry Limited, September 2009 Armbrust, Michael, Fox, Armando, Griffith, Rean, Joseph, Anthony D., Katz, Randy H., Konwinski, Andrew, Lee, Gunho, Patterson, David A., Rabkin, Ariel, Stoica, Ion, and Zaharia, Matei, Above the Clouds A Berkeley View of Cloud Computing, UCB, February 2009, (http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.html) Uitenbroek, Aad, Enterprise Security Architecture - A Business driven approach, Norea, (http://www.norea.nl/readfile.aspx?ContentID=52139&ObjectID=496997&Ty pe=1&File=0000025995_Security%20Architectuur%20SABSA%20Getronics. pdf) Vaquero, Luis M., Rodero-Merino, Luis, Caceres, Juan, and Lindner, Maik, A Break in the Clouds: Towards a Cloud Definition, ACM, January 2009, (http://ccr.sigcomm.org/drupal/files/p50-v39n1l-vaqueroA.pdf) Varia, Jinesh, Cloud Architectures, Amazon, 2009, (http://jineshvaria.s3.amazonaws.com/public/cloudarchitectures-varia.pdf) Velte, Antony T., Velte, Toby J., and Elsenpeter, Robert, Cloud Computing A Practical Approach, McGraw Hill, November 2009, (http://www.mcgrawhill.co.uk/html/0071626948.html) Weiss, Aaron, Computing In The Clouds, December 2007, (http://portal.acm.org/citation.cfm?id=1327513) Williams, David and Haight, Cameron, Understanding the Real Cost of an IT Management Product, Gartner, March 2009 Wood, Gary, Security Implications of Cloud Computing, July 2009, (https://www.securityforum.org/?page=DocumentDownload&itemid=3915)

[SUN02] [SUN03] [TAY01]

[TCNI01] [TOWN01] [UCB01]

[UITE01]

[VAQU01]

[VARI01] [VELT01]

[WEIS01] [WILL01] [WOOD01]

1012 Thesis - Cloud Computing IT Opportunity or Business risk

45

Appendices

46

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Appendix 1: Interviews
To verify if our assumptions and the global opinion about Cloud Computing poses the same sceptics, we have held interviews with companies from the demanding site. The interviews were based on the research questions of this thesis which can be found in paragraph 1.2. The companies we interviewed preferred to stay anonymous. The opinions discussed were also partly based on personal note/title and do not necessarily endorse the same position of the companies we interviewed.

Global Retailer
Introduction We had a meeting with the IT manager of a private company that owns a concept which is protected by Intellectual Property rights. The companies goal is to keep this concept alive and make it as profitable as possible, by constantly developing new products based on this concept. The company has stores in 38 countries all over the world which selling these products. All those stores are franchisers, except one, which is owned by the company itself and functions as its laboratory. It enables the company to test concepts and prove to the international network of franchisers that its new concepts are working. The store is among the top ten of biggest stores worldwide in terms of volume and employs 750 people. The IT platform used in the store for these employees is Microsoft Office and Microsoft Outlook for mail. Because the company is constantly keeping its concept alive and makes it as profitable as possible, its culture is very innovative. That is the reason that the IT department allows the employees to do everything on the internet and accepts that they have to fight the danger as IT department by other measures. Vision The vision of the companies IT manager on Cloud Computing is: Why doing it yourself when it is the core business of another company? Apart from managing the IT within the company, the IT department is also helping its retailers to lower the IT costs of the stores. Within a store the IT landscape exists of email, financial and Business Intelligence systems, so basically non keys systems. As such, the IT department started a pilot with SAAS, the reason was purely cost driven and justifies itself by reducing the costs of software licenses. Instead of using Microsoft Outlook and Microsoft Office, the store would use Gmail and Google apps. In this way the store would save on licenses costs. All 750 employees of the store were migrated from Outlook and Office to Gmail and Google apps. Because of the innovative nature of their company, it was decided to do this without training the personnel. With the exception of a couple of complainers, the switch was successful.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

47

Experiment The company was able to experiment with Cloud Computing (Gmail and Google apps) this way because the information involved is not confidential. As mentioned above, most information is protected by Intellectual Properties rights and owned by the company. If there would be an exposure of this information, it would be bad for Google and not for the company; because the information is owned by the company and protected since it is Intellectual Properties. The IT manager sees as a real risk if the document is lost and if Google has no backup. Risks The risk of (potential) information loss remains the same if it would be outsourced to companies such as messagelabs for spam and virus scanning compared to a Cloud provider. All the email is leaving the physical boundaries and is being processed by third parties. The risk analysis was based on how much information was involved and how big the risks would be if this information would become public versus the cost savings on licenses. The IT manager did not know if the concept would be accepted by the other franchisers. Moreover, he was not sure if Cloud Computing could be used for more sensitive information or key systems. Data is a big issue. Under which jurisdiction will it fall is very important. It could be a benefit or a problem to fall under the wrong jurisdiction. Regulations within the Netherlands are better arranged, compared with for example Russia and thus give a lower risk. Possible performance issues are still available in an enterprise environment. The problem is not about bandwidth or other network settings. It could be that Internet Explorer is giving performance issues, but from the enterprise the applications are slower then compared to a users home pc or mobile device. The IT manager thinks however that the information which is classified as high risk could be processed by the Cloud eventually. This is not happening at the moment because the risk is more based on emotional level than practical level. People are too cautious and you need to have a great trust in the third party. Until now this is the biggest barrier to overcome. The confidentiality is currently only safeguarded by contractual agreements with Google. There is no need for a SAS70 type 2 or ISO27001 statement. Google has a SAS70 statement as well. The statements however do not prevent you from mistakes and errors. You have to rely on companies which follow good processes. There remains one question which cannot be answered. It is: How much do you trust the supplier? What is the risk we accept? Interesting points: - Employees may themselves decide on the cheapest solutions; - The new generation is already used to gmail, google docs and the new paradigms; - Reason for Cloud Computing is cost reduction of IT; - How much information + how big is the risk vs Cost savings

48

1012 Thesis - Cloud Computing IT Opportunity or Business risk

No encryption is used with email because it is more about owning the Intellectual Property and therefore the information has not a high level of Confidentiality; Why do it yourself is the core business of other companies; Because of the innovation, almost everything is allowed and the IT department is fighting the danger through other measures; The IT manager believes in Consumer IT: users are choosing low cost solutions themselves. This situation is the opposite of the old days, where people came to work to surf the internet or sit behind a computer; Today is about control of all devices. Vision is to let loose of the old model of end device control and protect what is important; Apple and Google use new business models which are adopted and adored by the new generation; Google apps: o Get rid of outlook, exchange and office; o New way of thinking: Old days: physical translation with: Paper => envelope => filing cabinets; Now: automatic version control, one source (or version); New generation => easy adopters. o 2 to 4 weeks learning curve: New habit; New paradigm. o Test group didnt want to go back to Office: Too slow; Less easy to keep in touch with colleagues; No more access on the move by smart phone. o Results pilot: Showed what is possible; Showed cost reduction; Showed no negative impact on KPI of the store.

Big financial institution


Introduction We interviewed one of the persons from corporate operational risk management of a big financial institution. We will identify the person with XY. XYs impression of SAS70 is that it is not very useful. It can be a real pain in the ass. The problem is that SAS70 can be suitable for almost anything/any service because coverage over the specific controls of an outsource agreement are devised on a case-by-case basis. There is no real safeguard or control to what is checked and how extensively with a SAS70 report/statement unless utilising level 2 (testing) over whatever has been agreed. The question or difficulty lies within the standards for Cloud Computing. There must be someone who steps up and puts the ball back to the world and make a choice in a framework to follow.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

49

Standard framework There should be a new standard which is not based on former standards such as ISO or COBIT (4.0) which do not take the (current dependent internet) into account. Thus XYs advice is to start over again from scratch and focus on the risks of modern computing. Cloud Computing suitability XYs opinion is that Cloud Computing is as of now only suitable for the small and medium business and could only be useful on an application by application approach if applications were able to be unpicked from the spaghetti. RTA Right to audit; the principle is good, but the audit needs to be unforecasted to be of good value. In the opinion of XY the advantage of an unplanned and thus more unforeseen audit gives a far more accurate risk and day-to-day situation. Technology miss XY has the opinion that a lot of stuff from the roaring 80s was never used. Some of the technology and/or ideas are completely overlooked and would be suitable at the moment. Clouding and Integrity and privacy A code of conduct or governance should be applied to the standards or framework of Cloud Computing. As with the internet, there is no real owner. As there is no ownership with the internet there is no real spokesperson or entity a company can refer to when a problem arises. To safeguard the correct working of the Cloud there should therefore be an (international?) agreement to take care of things such as legislation or accountability. And a rigid governance framework much more rigid than, say, an ISO and certifiable - but by whom? ENISA The world in global should not reinvent the wheel and should follow the work done by ENISA, Jericho, OWASP, ISF, etc and put a wrap around it. Data theft There has been a report made by the FBI which made a breakdown of data theft or data loss from an outsourcing principle. The breakdown showed the following groups responsible for theft or loss within an organization: Internal; External; Third party (they do DOS or sabotage). Key management Kerberos/Smart cards and PGP are working techniques but the companyhas not yet used them as well as Single Sign On due to the current architecture. Availability The opinion of XY is that the availability and resilience of a Cloud solution or virtualized environment need not necessarily be safer or more reliable than regular solutions with for example dedicated hardware.

50

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Reloading / restoring of systems For a customer it is currently unknown how the process for restoring their Cloud infrastructure takes place. The other problem could exist when there is a large outage and there are multiple customers involved. Which customer will in that case be restored first? The experience XY had when working for the London Stock Exchange was that IBM had not the systems, technology or manpower to do a restore of all customers at the same time in the event of a district-wide disaster in the City of London. This is because it is quite expensive to have a near 100 percent redundant and cutover environment. Transport of the dataflow Companies could use the networked capabilities as if it where compared to a single entity instead of the Cloud. This would cause problems when the availability is at stake. Cryptography IT over-relies on cryptography to function properly. This is particularly noticeable when there is a move to another system. For this to function properly there has to be synchronisation in a reset of the keys used to be able to retrieve the right information. Risks Risk issues for Cloud Computing: Business continuity; Privacy; Retrievability of data; Transport of data flow e.g. national boundaries/jurisdiction or costs of transport; Technology; People (failing, culture); Various national legislation and regulation in an international business environment. HR should be properly aligned with the governance model to be useful. There is a large risk when the industrialisation or habits/culture are not taken into account when people are (ab)using the system. Backup IT backup / failure strategies are not yet resilient in comparison to IT recovery. Disclosures In the USA there is already an act about disclosure of data privacy breaches. XY thinks that this will be incorporated within the European Parliament from work done by Brussels and due to the extensive work done by ENISA and specific lobby groups. This should seriously affect the Cloud provider to European jurisdictions, as it already does to clients in the USA and Canada - and thus could lead to improved security. VMwares marketing XY states that a lot of success stories from Amazon are based on the sales people from VMware and are not always objectively enough. Even information from XYs whitepaper is based on sales material. USA influence The business influence from the USA is enormous. To get things done there must be someone who shares its ideas with for example Google to let it work for the world.

1012 Thesis - Cloud Computing IT Opportunity or Business risk

51

Regulators The regulators are getting there teeth into nowadays issues and are getting more and more into a driver seat position and demand for better (security) controls. Answers 1. Is your company exploring the possibilities of Cloud Computing? Yes our company is looking into this, mainly from a cost savings perspective for their DCs. 2. If so, what kind of service model would your company prefer? Private Cloud, or a hybrid Cloud perhaps with the other (big) banks within the Netherlands. 3. What is the motivation for this preference? The banks in the Netherlands share a common risk profile and would therefore benefit from a common level of protection that could be implemented into a dedicated Banks Cloud satisfying the regulator (DNB). 4. What services would be candidates to move into the Cloud? That is the most interesting question. If we know the answer, this could be valuable information. But it depends on the Cloud see 3 above. 5. Did your company perform a risk analysis for the services that are candidates to be moved into the Cloud? 6. If so, what type of risks did this analysis reveal? Be more specific on how thorough and widely-scoped the risk analysis must be. Back to SAS70 again A risk assessment can take a day or a year we need the scope to be stated relatively specifically. 6. Is the internal audit department involved? Internal audit is not in the decision making role. They could be more in the driver seat position and do pro-active auditing. 7. If so, how do they feel about Cloud Computing? unknown 8. How do they gain assurance about the controls? The accountability is not yet revealed. There should be a framework like TOGAF (which is for architecture) to use on Cloud Computing and (security) controls.

52

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Appendix 2: Cloud Computing definitions


In 2008 Luis M. Vaquero, Luis Rodero-Merino, Juan Caceres and Maik Lindner [VAQU01] found more than twenty different definitions for Cloud Computing. Hereafter we have included a few of the most used definitions. Wikipedia: Cloud computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. Forrester: A pool of abstracted, highly scalable, and managed compute infrastructure capable of hosting endcustomer applications and billed by consumption. [STAT01]. Gartner: "a style of computing where massively scalable IT-enabled capabilities are delivered 'as a service' to external customers using Internet technologies." [HEIS01]. Isaca: In its simplest form, cloud computing is performing computing tasks via a network connection while remaining isolated from the complex computing hardware and networking infrastructure that supports it. Cloud computing relies on virtualization technology to offer each subscriber one or more individual virtual instances. Due to virtualization technology, each physical server can host several virtual servers. [GADI01]. SUN: its using information technology as a service over the network. We define it as services that are encapsulated, have an API, and are available over the network. This definition encompasses using both compute and storage resources as services. [CARO01]. Google: "It starts with the premise that the data services and architecture should be on servers. We call it cloud computing they should be in a "cloud" somewhere."[BOGA01]. Microsoft21: Virtualization and automation, Interchangeable (fungible) resources such as servers, storage and network, Management of these resources as a single fabric, Elastic capacity (scale up or down) to respond to business demands, Applications (and the tools to develop them) that can truly scale out, Focused on the service delivered to the business

21

http://www.microsoft.com/virtualization/en/us/cloud-computing.aspx

1012 Thesis - Cloud Computing IT Opportunity or Business risk

53

Berkeley University[UCB01]: "Cloud Computing refers to both the applications delivered as services over the Internet and the hardware Relevant Products/Services and systems software in the data Relevant Products/Services centers that provide those services. The services themselves have long been referred to as Software as a Service (SaaS), so we use that term. The data-center hardware and software is what we will call a Cloud. When a Cloud is made available in a pay-as-yougo Relevant Products/Services manner to the public, we call it a Public Cloud; the service being sold is Utility Computing." Those are just a few examples of a definition for Cloud Computing.

54

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Appendix 3: Computer incidents


CSI (Computer Security Institute) in close cooperation with the FBI reports annually about the survey it has held during the year to inform about the Computer Crime and Security Survey. Hereafter some results for 2008 with percentages of key types of incidents. The risks mentioned pose a threat to the Internet and its connected computers.

Table 4 Computer incidents

[RICH01] The information need and dependency on the Internet is growing each day. 1012 Thesis - Cloud Computing IT Opportunity or Business risk 55

Figure 1822 Internet Timeline growth of hosts

The amount of internet connected hosts (Figure 18) is growing at a constant (logarithmic) rate and the same trend is visible for the amount of websites (Figure 19).

Figure 1923 Internet Timeline growth of Websites

And the number of incidents and vulnerabilities is growing at a comparable rate, according to the information (Table 5) from CERT.

22 23

http://www.zakon.org/robert/internet/timeline See footnote 22

56

1012 Thesis - Cloud Computing IT Opportunity or Business risk

Incidents 1988 6 1989 132 1990 252 1991 406 1992 773 1993 1,334 1994 2,34 1995 2,412 1996 2,573 1997 2,134 1998 3,734 1999 9,859 2000 21,756 2001 52,658 2002 82,094 2003 137,529 2004 2005 2006 2007 2008Q1-3 Table 524 CERT Internet Incidents

Date

Advisories 1 7 12 23 21 19 15 18 27 28 13 17 22 37 37 28

Vulnerabilities

Tech Alerts

171 345 311 262 417 774 2,437 4,129 3,784 3,78 5,99 8,064 7,236 6,058

27 22 39 42 29

24

http://www.cert.org/stats

1012 Thesis - Cloud Computing IT Opportunity or Business risk

57