46

Mike Chung
Cloud computing seems likely to outgrow the hype stage in 2011. There is a grow-
ing realization that cloud computing has a far-reaching impact on the degree of
assurance provided by fnancial statements, in particular concerning annual
reports and accounts. Cloud computing means external data storage on the cloud
provider’s premises, the sharing of IT resources and dependency upon the public
internet. Therefore, the steadily progressive shift from locally installed and main-
tained IT to the cloud makes it necessary for potential customers to be adequately
informed about the following key issues: What is cloud computing? How does
cloud computing impact the degree of assurance, in particular concerning fnancial
statements? What steps should be taken? This article will provide answers to
these questions.
Introduction
Cloud computing is undoubtedly the most signifcant phenomenon in IT today. Te provi-
sion of IT services via the internet, what cloud computing is essentially all about, seems
likely to outgrow the hype stage in 2011. A recent study by KPMG shows that nearly 60 per-
cent of Dutch companies are already using cloud services for one or more parts of their IT,
or intend to switch to cloud solutions within the next 12 months. Te same study also indi-
cates that the majority of respondents consider cloud computing to be the future model of
IT. However, it should be noted that of the total expenditures on IT at these companies, the
share allocated to cloud computing is still marginal (less than 5 percent) ([KPMG10]).
While the established pioneers of cloud computing (Salesforce.com, Amazon and Google
being the best known) are steadily expanding their service portfolio, almost all major IT
providers are investing heavily in cloud services in order to meet the apparently rising
demand. Microsoft, IBM and Oracle are all ofering cloud services and cloud-enabling tech-
nology to facilitate business processes, occasionally in collaboration with other software
companies and IT integrators.
Amidst the cloud euphoria fanned by IT providers and “independent” analysts, there is a
growing realization that cloud computing has a far-reaching impact on the degree of assur-
ance provided by fnancial statements, in particular concerning annual reports and accounts.
Factors of importance to fnancial business processes (access control and authorization,
Assurance
in the cloud
The impact of cloud computing
on fnancial statements
M. Chung
is a manager at KPMG Advisory. He is
primarily concerned with issues concern-
ing cloud computing, outsourcing and
online services. Mike is a frequent speaker
at conferences and seminars, and regu-
larly publishes on IT topics in a variety of
journals.
chung.mike@kpmg.nl
Compact_ IT Advisory 47
Te reason why this seemingly simple concept is explained so
diferently by IT providers, analysts and academics is mainly
due to the fact that cloud computing does not only involve tech-
nological but also important business elements. From a tech-
nological perspective, cloud computing is based upon already
existing technologies such as virtualization, web services,
shared data caches, and grid computing. Since ASPs (Applica-
tion Service Providers) have been providing IT applications over
the internet for more than a decade, cloud computing can
indeed be denoted as “old wine in new bottles.”
However, the commercial provision of IT services over the
internet on a large scale from shared pools of IT resources has
only become economically viable due to three relatively recent
developments. Firstly, the above-mentioned technologies, of
which virtualization and web services are the most important,
have been refned, standardized and widely applied during the
last five years. Secondly, public broadband networks have
become abundant and readily available at reasonable cost.
Tirdly, some providers have expanded the scale of their IT
resources enormously, making them the major players in the
cloud computing market of today.
Te business principle of cloud computing is based on the fact
that possession/ownership of IT resources (i.e. applications,
platforms or infrastructure) is independent of use of these
resources. In cloud computing, IT resources, whether it is an
application or storage, remain the property of the cloud service
provider; customers only pay for the use of the IT service with-
out requiring local soft- or hardware installations. In theory,
cloud computing does not require upfront investments (capital
expenditures) unlike the traditional, on-premise IT. Te cus-
tomer only needs access to the internet.
change management, backup and recovery) have diferent risk
profles in the cloud than they have when they are part of tra-
ditional, on-premise systems. As a rule, and from the viewpoint
of the customer, cloud computing means external data storage
on the cloud provider’s premises, the sharing of IT resources
and dependency upon the public internet.
Terefore, the steadily progressive shift from locally installed
and maintained IT (also known as on-premise IT) to the cloud
makes it necessary for potential customers to be adequately
informed. For them, information about the following key issues
is important:
What is cloud computing?

How does cloud computing impact the degree of assurance,

in particular concerning fnancial statements?
What steps should be taken?

Tis article will provide answers to these questions.
What is cloud computing?
Defnition
A search using Google or Bing delivers a multitude of defni-
tions, descriptions and opinions on cloud computing. Some
speak of “applications on the internet” or “computational style
in which IT provides scalable and fexible capabilities as ser-
vices to external customers through the use of internet technol-
ogy,” while others qualify it with terms such as “old wine in new
bottles.” Obviously, there is a lack of consensus and a lot of
confusion on what cloud computing actually is.
Simply stated, cloud computing means the provision of IT serv-
ices from shared resources via the internet. Te internet is often
metaphorically depicted as a cloud, hence the term cloud com-
puting. Well-known examples of cloud computing are Gmail,
Google Apps, Hotmail and Apple’s MobileMe.
¡8% ¡z%
q¡% SIrongly agree
Agree
Undecided
Disagree
SIrongly disagree
3TATEMENT
#LOUDCOMPUTINGIS
THEFUTUREMODELOF)4
zg%
Figure 1: Statement based on responses of 125 decision-makers
([KPMG10])
"Dn-premise" CIoud computing
Users
Hardware, 5oftware
& Data
Vendor
Customer
,ICENSESAND
3UPPORTCOSTS
I1 services
Users
Hardware, 5oftware
& Data
Customer
I1 services
)NTERNET
3UBSCRIPTION
0AYASYOUGO
3UBSCRIPTION
0AYASYOUGO
Vendor
Figure 2: On-premise IT versus cloud computing ([KPMG10])
48 Assurance in the cloud

External data storage and processing. Unlike on-premise IT,
data is stored and processed outside the customer’s domain at
the cloud service provider’s location(s).

Multi-tenancy. Contrary to on-premise IT, resources are
shared, to a certain degree, by multiple customers.

Internet dependency. Although leased lines and proprietary
networks can be used for cloud computing, the primary infra-
structure of cloud computing is the public internet.

Contracted services. Customers pay for a service (pay-as-
you-go or subscription) instead of licenses and/or hardware.

On-demand services. In contrast to the vast majority of on-
premise IT, cloud services can be used almost instantly.

Elasticity. Cloud services can be easily upscaled and down-
sized.
Multi-tenancy may be limited to a select group of customers or
even a single customer, although there is always a degree of
multi-tenancy (e.g. physical facilities, cooling, supporting staf)
with cloud computing. Tis form of private or dedicated cloud
computing represents an alternative to the public cloud, which
has a high degree of multi-tenancy. In either form, customer
data is stored at the provider’s location(s).
Some providers ofer private cloud computing solutions in
which an organization’s internal IT department uses cloud
computing technologies to create an “on-premise cloud.” Since
this internal form of cloud computing is fully dependent on
internal, on-premise IT, it is highly questionable whether this
type can truly be called cloud computing. Terefore, any such
notion of an internal cloud will not be discussed in this article.
Layers, characteristics, and types
Cloud services can be ofered at various layers of IT. At the
software layer, such a service is called Software-as-a-Service
(SaaS). Platform-as-a-Service (PaaS) provides IT services at the
platform level (e.g. operating systems, application frameworks);
in this case, additional software must then be developed or
installed by customers. Infrastructure-as-a-Service (IaaS) pro-
vides technical infrastructure components (e.g. storage, mem-
ory, CPU, network). Additional platform elements and software
have to be installed by the customer, or specifc infrastructure
components can be utilized for on-premise processes (see Fig-
ure 3). Generally, cloud service providers specialize in one or
two layers only.
Depending on the layer, cloud computing has the following
characteristics:
3
A
A
3
0
A
A
3
)
A
A
3
SalesIorce.com, MicrosoII 8POS, Gmail
3OFTWARE0LATFORM)NFRASTRUCTURE
App Lngine, lorce.com, Azure
0LATFORM)NFRASTRUCTURE
Amazon LCz, 1erremark, kackSpace
)NFRASTRUCTURE
Figure 3: Different layers of cloud computing ([KPMG10])
)NTERNET
)NTERNALCLOUDCOMPUTING
#USTOMER!
)4
)NTERNAL)4#USTOMER!
)4
)NTERNET
3ERVICE
0RIVATECLOUDCOMPUTING
#USTOMER"
)4
#USTOMER# #USTOMER!
0UBLICCLOUDCOMPUTING
#USTOMER" #USTOMER# #USTOMER!
)4
)NTERNET )NTERNET
3ERVICE 3ERVICE
)4
3ERVICE 3ERVICE 3ERVICE 3ERVICE
)NTERNET
0ROVIDER 0ROVIDER
Figure 4: Different types of cloud computing ([KPMG10])
Compact_ IT Advisory 49
Cloud computing also has the advantage of keeping software
development and updates largely out of the customer’s sight.
Ideally, the customer only defnes a set of specifcations and
requirements, according to which the provider implements the
updates and changes on the relevant parts of the IT environ-
ment. Te customer is only required to conduct functional tests
and decide on acceptance. Consequently, annoying updates to
IT systems are a thing of the past.
Cost-savings
IT operational costs can be reduced signifcantly by adopting
cloud computing, since this model’s initial investments (capital
expenditures) are marginal compared to the costs that are
involved with large-scale, costly and risky implementations of
on-premise IT resources. All installations actually take place
on the provider’s servers, and the management costs for making
the services continuously available are borne by the provider.
Moreover, there are considerable savings in terms of hardware,
server rooms, air conditioning and electricity. Te costs passed
on to customers are relatively low due to the economies of scale
of most cloud service providers, efficient use of (shared)
resources, and centralization of expertise.
With cloud computing, charges only apply to the use of the IT
service, as the IT resource remains in the possession of the
provider. Although subscriptions are still the rule, “pay-as-you-
Drivers of cloud computing
More fexibility
Te success of cloud computing is partly due to the fact that
the traditional, on-premise IT is increasingly being confronted
with technical limitations and complexity while the costs of
implementing and maintaining IT systems are scarcely kept
under control. Outsourcing and ofshoring have only partially
solved the problems, and the promised cost savings rarely
turned out to be achievable. Cloud computing seems to ofer
the ideal solution in this respect; it enables companies to phase
parts of their IT, including hardware, software and IT person-
nel. Companies can regain authority over their business,
required IT services are obtained over the internet, and the
costs are transparent and relatively easy to control.
A recent survey by KPMG revealed that nearly 60 percent of
cloud computing customers feel fexibility is the most impor-
tant beneft. Cloud services can be purchased and used quick-
ly since installation has already been done by the provider,
including all associated requirements to manage the IT resourc-
es, construct physical facilities and provide security. Tis is in
stark contrast to the lengthy and risky deployment projects that
are so typical of on-premise IT ([KPMG10]).
More
IlexibiliIy
7HATBENEFITSDOYOUEXPECTFROMCLOUDCOMPUTING
CosI
savings
8eIIer
scalabiliIy
ComplexiIy
reducIion
More (core)
business Iocus
o ¡o zo ¸o qo ¸o 6o )o 8o%
CollaboraIion
SwiIch Irom
CapLx Io OpLx
Green l1
Advanced
Iechnology
8eIIer
IuncIionaliIy
lmproved
securiIy
Figure 5: Benefts of cloud computing based on responses of 125 decision makers ([KPMG10])
50 Assurance in the cloud
Into perspective
Notwithstanding the valid drivers of cloud computing and the
hype, cloud computing should be put into perspective. Te
share of IT expenditures allocated to cloud computing is still
marginal. Depending on the analysis, the share allocated to
cloud computing as of 2010 is between 2 and 4 percent, with
the US as the leading outlet of cloud services (60 percent); the
rest of the world, including Europe, can be considered as
peripheral. No matter how popular cloud computing is in our
social lives (Facebook and Gmail as typical cloud services),
large-scale adoption of cloud computing by the corporate com-
munity is yet to come. For the time being, at least until 2015,
traditional, on-premise IT will be the dominant factor
([KPMG10], [OECD10]).
Yet, the emergence of cloud computing cannot be ignored: it is
growing between 20 and 40 percent per year, despite (or per-
haps thanks to) the economic low tide. Moreover, the move
towards centralization and consolidation of IT resources and
management is a process that has been taking place since the
turn of the millennium. From locally installed IT, many com-
panies chose to set up Shared Service Centers (SSH) in order
to make more efcient use of their IT. Ten came the waves of
hosting applications on external platforms and infrastructure,
and outsourcing/ofshoring. In this respect, cloud computing
can be seen as the next phase in this process and part of the
paradigm shift in automation from locally installed/managed
IT towards centralized delivery and shared use of services
([KPMG10], [OECD10]).
go” has come into vogue recently, enabling the customer to pay
each time the service is employed. Te advantage of pay-as-you-
go is that payment is only made for services that are actually
used, and unnecessary overhead is avoided.
Still, it should be noted that, although the initial costs of cloud
computing are signifcantly lower than on-premise IT, the costs
of cloud computing remain constant throughout the life cycle
of the relevant IT resource, supposing that demand remains
constant. Te costs of local facilities will, however, diminish
gradually, due to depreciation. Te cost-savings of cloud com-
puting are therefore highly dependent on the duration of the
product life cycle. Te longer an IT resource is used, the lower
the relative advantage of cloud computing in relation to on-
premise IT.
Better scalability
Cloud computing also ofers the advantage of being able to
adjust the use of IT resources either upwards or downwards,
thus improving the scalability of IT.
By using various types of virtualization and load-balancing,
cloud computing solutions can easily be scaled up and down.
Combined with the “pay-as-you-go” or subscription models that
are common to cloud computing, customers only pay for what
they use and the required IT capacity is always available (in
theory). In contrast to on-premise IT, IT capacity is never idle
and never scarce.
,
O
S
S

O
F
O
P
P
O
R
T
U
N
I
T
Y
/NPREMISE
#LOUD
5
N
U
S
E
D
P
O
T
E
N
T
I
A
L
3
T
O
R
A
G
E

R
E
Q
U
I
R
E
M
E
N
T
3
T
O
R
A
G
E

R
E
Q
U
I
R
E
M
E
N
T
4IME 4IME
Figure 6: Scalability of cloud computing ([KPMG10])
Compact_ IT Advisory 51
When we focus on the specifc impact of cloud computing on
the degree of assurance, particularly in fnancial statements,
the following factors must be taken into consideration:
access control and authorization;

change management; and

backup and recovery.

Generally, these are the most important IT topics for investiga-
tion within the scope of fnancial audits.
Risk profle
Cloud computing is not devoid of dangers. Although the num-
ber of major incidents involving commonly used cloud ser-
vices was relatively small in 2010 in relation to the number of
customers, the foremost providers (Google, Salesforce.com,
Amazon and Microsoft) have all had to remedy several critical
vulnerabilities in their cloud oferings. Recently, weaknesses in
Hotmail were exposed by hackers, who were able to obtain ille-
gal access to thousands of accounts. Amazon’s Elastic Cloud
fell prey to Botnets, and leaks in Google’s Web Service enabled
unauthorized individuals to gain access to accounts and pass-
words.
Although these incidents were caused by various technical and
process-related weaknesses, customer data stored at the cloud
computing provider’s location was, in all cases to a certain
degree, compromised. All this emphasized at least one crucial
point: the customer is strongly dependent on, if not entirely at
the mercy of, the maturity of the cloud service provider.
Te risks of cloud computing should be put into perspective. On
the one hand, cloud computing is mainly based on existing tech-
nologies such as virtualization, data segregation and web serv-
ices. So existing IT risks apply, albeit the controls and mitigating
measures largely belong on the provider’s side, as the provider
owns and manages the IT resources in the cloud. On the
other hand, cloud computing has characteristics that
considerably afect the risk profle compared to the tra-
ditional, on-premise IT. Tese characteristics are:
external data storage and processing;

sharing of IT resources with other customers (multi-

tenancy); and
dependency on the public internet.

Access control & authorization
Concerning access control and authorization, all three
characteristics related to the risk profle of cloud com-
puting apply. Te of-premise nature of the cloud means
that the customer depends on the provider’s technol-
ogy, personnel and processes. Multi-tenancy requires
The impact of cloud computing
on assurance
Relevant factors
Te number of cloud services that are mature and proven is
rather limited, although CRM, e-mail, “ofce” software, docu-
ment sharing and storage as cloud services are gaining a strong-
hold in the market. Given this impressive pace of development
and growth, even fnancial software services from the cloud
will become common in the near future. As a matter of fact,
SaaS for accounting purposes, such as Twinfeld and NetSuite,
have a well-established reputation amongst mid-sized compa-
nies. It will take a while before ERP at Fortune 500 companies
will move to the cloud, but the rise and expansion of cloud
services is imminent, thus increasingly relevant to the issue of
assurance provided in fnancial statements.
2ESOURCE
SHARING
,OW (IGH
(IGH
,OW
/UTSOURCING
,OCALLY
INSTALLED)4
(OSTING
#LOUD
COMPUTING
33#
/UTSOURCING
Figure 7: Paradigm shift ([KPMG10])
Location of
data storage
and I1 assets
·
·
Dn-premise I1 CIoud computing
OuIside Ihe inIernal securiIy
domain oI Ihe cusIomer's
organizaIion
RosIed/locaIed aI cloud
service provider or disIribuIed/
scaIIered over a mulIiIude oI
(Ihird parIy) providers
·
WiIhin Ihe (inIernal) securiIy
domain oI Ihe cusIomer's
organizaIion
Usage of
(I1) resources
·
various degrees oI
mulIi-Ienancy
·
Lxclusive Ior Ihe cusIomer
Primary infra-
structure for
data transfer
·
Public inIerneI
·
·
LAN
Leased lines
Table 1: Characteristics impacting risk profle
52 Assurance in the cloud
disabling/deleting computer accounts) and authorization (who
and/or which roles have which permissions for which data) of
internal IT resources are complex and open to improvement.
Frequently, this process has weaknesses such as obsolete but
still active accounts, thus afecting security. Often authoriza-
tions for role/function changes within the organization include
new permissions while the old permissions have not been
removed, resulting in too many permissions and possibly
infringing segregation of duties. Tis complexity is increased
by cloud services that use diferent procedures and/or other
technologies to facilitate these processes. Lack of integrated
processes can result in further weak points, with negative con-
sequences for the level of assurance.
Cloud services have their own access control and authorization
processes that are, in principal, not directly compatible with
the customer’s requirements and wishes. Moreover, (open)
standards for authorizations on computer systems are still in
their development stages, while protocols such as SAML 2.0
provide sufcient latitude for a range of interpretations, thus
hindering integration of diferent solutions.
Authorization mechanisms for more than 90 percent of pur-
chasing organizations are based on the Security Groups and
Group Policy Objects in Active Directory, which may or may
not be supplemented by an RBAC tool. Both Active Directory
and the RBAC tools are designed for an on-premise IT environ-
ment. Integration between diferent IT environments is there-
fore complex and still undergoing radical development. For
example, Microsoft ofers Active Directory Federation Serv-
ices in order to integrate various Active Directories across mul-
tiple organizations. But this technology is also relatively new
and not widely used on the market.
In practice, cloud-service authorization mechanisms tend to
be independent of those of the internal IT environment. Tis
situation therefore increases the risk of additional management
costs, inconsistent processes and higher complexity. Integra-
tion with existing internal IT services and between diferent
cloud-computing providers may entail signifcant integration
problems and increase complexity.
Tis complexity also applies to other security mechanisms. Not
only are there multiple solutions, the chain of which is only as
strong as its weakest link, but the integration of security often
results in compatibility issues and unclear responsibilities.
Given the technology currently in development, mitigating the
indicated risks will mainly involve the area of process integra-
tion. An efort is also being made to harmonize provider and
customer processes regarding access control and authoriza-
tions. Similar harmonization may also be a solution for private
cloud services. In the case of public cloud services, the cus-
an advanced level of authentication, authorization, and separa-
tion of data instances. Te public internet involves multiple
access points from countless locations, which are exception-
ally difcult to control.
In practice, customers are confronted by three issues:
divergent degrees and forms of authentication; 1.
complexity of integrating control processes; and 2.
technical complexity of integrating authentication mecha- 3.
nisms.
Almost all cloud services ofer their own forms of authentica-
tion. Tey can range from a combination of account and pass-
word (2-factor) to stronger forms, such as a combination of
account and password in association with a token (3-factor).
Te strength of authentication is usually fxed, and additional
possibilities for authentication (e.g. tokens and/or authentica-
tion using biometric factors) are limited, especially for public
cloud services. Specifc solutions are available (even in the form
of cloud services!) that connect the internal authentication
mechanism (usually MS Active Directory) to the provider’s own
authentication mechanism. Tis obviously requires additional
investment and expenditure on controls. Besides that, authen-
tication services over the internet is a niche market still in
development, and its track record is limited.
Diferent authentication strengths, especially when authentica-
tion of the cloud service is weaker than the customer’s require-
ments, can lead to weaknesses in the IT environment, with the
result that the integrity and confdentiality of (fnancial) data
is harmed.
When the required/desired form of authentication (e.g. a user
account based on a specifed convention, in conjunction with
a password) is not applicable to cloud services, there is a high
risk of incurring additional costs and management expenses.
After all, two or more forms of authentication are being pur-
chased and managed. Users should not be forgotten here. Tey
have to log-on using extra and possibly other means of authen-
tication in order to gain access to IT services. Multiple log-ons
with multiple tokens and/or smart cards can be a very annoying
experience, not to mention an additional management burden
for the organization.
Single-Sign-On technology may in some cases be applied to
establish a consistent form and strength of authentication, but
it is generally difcult to implement, seldom fully applicable to
all IT services, and often easy to circumvent insofar as cloud
services are concerned, as many cloud services can be accessed
directly from various access points on the internet.
In most large (more than 5,000 computer users) organizations,
the processes for user management (creating, changing and
Compact_ IT Advisory 53
Te principle of multi-tenancy has the
advantage of outsourcing complex
change management to a specialist as
well as more efcient way of implement-
ing changes (one change which applies
for multiple customers). The disad-
vantage is that the customer depends
entirely on the provider’s willingness
and capacity to perform the required/
desired changes. Moreover, undesirable
changes cannot, in general, be undone
for a single customer, especially when
the service has a high degree of multi-
tenancy. Although this especially applies
to public cloud services, most private
clouds are also highly standardized com-
pared to on-premise environments.
In practice, it turns out that the limited
control over and grip on changes does not impact the degree of
assurance as much as the extent to which the provider grants
access to its change management processes, that is: ofering
transparency. Few providers are openly transparent about the
ways in which they manage changes on their systems and only
provide useful information about future releases on their cloud
services. Generally, there is a persistent lack of clarity regarding
how and on what grounds changes are initiated, how the impact
analysis is conducted, how a change is tested and how it is
approved.
Good SAS70 – after mid 2011 SAS70 standard will be replaced
by ISAE 3402 standard – reports seem to ofer a solution to this
issue, but only a minority of providers engage independent par-
ties to regularly perform external audits. Moreover, the select-
ed IT controls are often based on single-tenant structure and
not the multi-tenancy characteristic of cloud services. Many of
the controls necessary to ensure segregation of the data and
resource utilization of various customers are not selected and
therefore rarely audited. Furthermore, the auditor is faced with
the problem that current frameworks, such as ISO27001/2, are
hardly suitable for multi-tenant environments. New frame-
works with new IT controls are currently being formulated, but
the number of initiatives remains large without any of the
frameworks being widely accepted on the market.
A right-to-audit is recommended in these cases, but its exercise
is reserved for the most wealthy and/or infuential customers.
Few requests for audits are honored and many auditors lack the
technical knowledge and experience with the architecture to
evaluate cloud services on their proper merits.
Insufcient assurance from the provider can therefore constitute
a reason to (temporarily) refrain from using cloud services.
tomer will have to submit to the provider’s processes. In any
case, this factor must be included in the business case.
It is therefore recommended that the following steps be taken
before moving to the cloud:
Identify current processes for user management, authentica-

tion and authorization.
Defne clear requirements regarding management processes,

especially concerning authorization management.
Defne clear technical requirements, especially in terms of

(open) standards.
Define the future integration of technical architecture

before making a choice.
Perform technical pilot studies prior to selection.

Defne exit/migration strategy.

Change management
Concerning change management, two characteristics related
to the risk profle of cloud computing apply. IT resources on
the provider’s premise means, in the frst place, that changes
on the IT environment with potential impact on the data are
no longer controlled by the customer but by the cloud service
provider. Unlike on-premise IT, change management in the
cloud is primarily not the customer’s responsibility but that of
the cloud service provider.
Secondly, this also means that the customer only has limited
infuence on the changes in the cloud services that it purchas-
es. In principle, the provider supplies all patches, new versions,
and keeps the IT environment available. Multi-tenancy implies
that each change has impact on multiple customers, thus lim-
iting the degree of customization and desired time frame of
changes.
/NPREMISE)4 #LOUDCOMPUTINGRISKS #LOUDCOMPUTING
DivergenI degrees and
Iorms oI auIhenIicaIion
beIween Ihe cusIomer
organizaIion and Ihe
provider
·
·
Rarmonized degree(s)
and Iorm(s) oI
auIhenIicaIion
ComplexiIy oI
inIegraIing conIrol
processes
·
·
Rarmonized conIrol
processes
1echnical complexiIy oI
inIegraIing auIhorizaIion
mechanisms
Weaker auIhenIicaIion, leading Io
undesired concession in securiIy
8ypassing oI auIhenIicaIion
mechanism, leading Io securiIy
vulnerabiliIies
1oo many permissions, leading Io
breach oI segregaIion oI duIies
UnconIrolled growIh oI obsoleIe
user accounIs and permissions,
leading Io deIiciencies
MulIiple insIances Io conIrol
auIhorizaIions, leading Io addiIional
cosIs and managemenI burden
lnIegraIion based on immaIure
Iechnology, leading Io unsIable
environmenI suscepIible Io errors
·
·
Rarmonized
auIhorizaIion
Table 2: Cloud computing risks to access control & authorization
54 Assurance in the cloud
For instance, an important part of the data from a US hospital
using a cloud service ofered by a US provider turned out to
be archived in India. Tis was a violation of US legislation as
it is prohibited to store medical records with personal data
outside the US. Te US provider had in fact outsourced its
archiving activities to an Indian company without informing
its customer.
Te issue becomes critical when the cloud computing provider
is no longer able or no longer willing to make the customer’s
data available to the customer. Possibilities for escrow exist,
but besides the technical implications concerning recovery of
data in the proper format and media, the market has yet to
elaborate on legal and technical implications. For example,
open data formats which can be interchanged (theoretically)
between diferent technical solutions are seldom enforced and
as of 2011, many data in the cloud is in proprietary formats of
the provider in question.
A right-to-audit with regard to backup and recovery is recom-
mended, but in practice, only a few requests for audits will be
honored. Firstly, it is practically impossible for large providers
to have their IT environment constantly audited by thousands
of diferent requests. Secondly, auditing a multi-tenant environ-
ment requires specifc expertise by auditors regarding archi-
tecture and technology which is sparsely available. Terefore,
it is better to require transparency from the provider prior to
making the purchase.
It is therefore recommended that the following steps be taken
before deciding to move to the cloud:
Identify change management controls with regards to appli-

cable rules and regulations.
Defne clear requirements regarding the change manage-

ment process.
Demand right-to-audit where possible.

Use additional controls which apply for multi-tenant envi-
-
ronments.
Make sure audits are performed by experienced auditors
-
understanding cloud services.
Backup & recovery
Backup and recovery in the cloud also depend on measures
taken by the provider. Apart from – often standardized –
reports on backed up data, customers have to trust that the
providers actually back up their data and store it in a safe place
under proper storage conditions. In addition, customers have
to assume that, in case of emergency, the backed up data can
be instantly recovered and its availability quickly restored.
Several major incidents have demonstrated that not all data in
the cloud is backed up adequately. Tousands of customers lost
their data in the cloud due to the infamous “Sidekick Disaster”
at Microsoft and T-Mobile in 2009. In violation of agreements,
it turned out that Microsoft and T-Mobile did not fully back up
the data of their customers. Furthermore, the part that had
been secured only became available after several days.
Besides the issue of failing or missing backups,
the use of subcontractors has also become a prob-
lem plaguing the cloud. Often, a portion of the
cloud services is subsequently outsourced by the
provider to other cloud computing providers. It
is not uncommon for backups and archiving to
be performed by other (specialist) providers in
diferent geographical locations with diferent
regulations concerning data storage, data protec-
tion and privacy.
/NPREMISE)4 #LOUDCOMPUTINGRISKS #LOUDCOMPUTING
#HANGESINITIATED
AUTHORIZEDANDGENERALLY
IMPLEMENTEDBYTHE
PROVIDER
„
„
#HANGESINITIATED
AUTHORIZEDAND
GENERALLYIMPLEMENTED
BYTHECUSTOMER
#HANGEMANAGEMENT
CONTROLSASDEFINEDBY
THEPROVIDER
„
„
#HANGEMANAGEMENT
CONTROLSALIGNEDWITH
RELEVANTSTANDARDSAND
REGULATIONS
5NDESIREDCHANGES
5NANNOUNCEDCHANGES
)NSUFFFICIENTASSURANCEONADEQUATE
CHANGEMANAGEMENTCONTROLS
)RRELEVANTSTANDARDSASSTARTING
POINTSFORAUDITS
/NPREMISE)4 #LOUDCOMPUTINGRISKS #LOUDCOMPUTING
8ackup ouIside
cusIomer's perimeIers
·
·
8ackup wiIhin
conIrolled, inIernal
perimeIers
SIandardized measures
oI Ihe provider
·
·
CusIomized seIIings
regarding backup &
recovery meeIing user
requiremenIs
ConIlicIing legislaIions
lncompliance due Io lack oI
Iransparency
lnsuIIIicienI service guaranIees such
as backup media and recovery Iime
Lxcessive backup daIa such as
privacy-relaIed daIa
Table 3: Cloud computing risks to change management
Table 4: Cloud computing risks to backup & recovery
Compact_ IT Advisory 55
standards to align multiple cloud solutions are yet to be deter-
mined. In terms of process, the same applies to change manage-
ment, which occurs virtually out of the customer’s sight and
control. With regard to backup and recovery, the customer
must be aware that data is not necessarily stored just on the
premises of the primary provider and that data recovery may
be subject to signifcant technical and legal complications.
Although measures can be taken to mitigate the risks of cloud
computing, on occasion it will be exceptionally difcult or even
impossible to implement these mitigations, as a right-to-audit
is rarely granted by big providers and current audit standards
lack specifc controls related to cloud services. In any case, the
customer must have an exit/migration strategy ready at all
times, enabling it to switch to alternatives at any moment. A
thorough risk analysis in association with the development of
a business case prior to the adoption of cloud computing is a
matter of course.
Te rise of cloud computing is seemingly unstoppable, even in
the domain of fnancial business processes. As we speak, organ-
izations are already moving their applications from their tra-
ditional, on-premise environments to the cloud. Awareness of
this paradigm shift followed by adequate risk management will
be a critical success factor.
References
[Chun09] Mike Chung, Cloud computing als panacee, KPMG,
2009.
[Chun10] Mike Chung, Audit in the Cloud, KPMG, 2010.
[Isac09] ISACA, Cloud Computing: Business Benefts With
Security, Governance and Assurance Perspectives, ISACA
Emerging Technology White Paper, 2009.
[KPMG10] KPMG Advisory, From Hype to Future: KPMG’s 2010
Cloud Computing Survey, KPMG, 2010.
[OECD10] OECD Information Technology Outlook 2010, OECD,
2010.
[Schn09] Bruce Schneier, Schneier on Security, 2008.
[Shaz10] Shay Uzery and Joep Ruiter, Privacywetgeving belemmert
cloud computing, Automatisering Gids, March 2010.
Te following steps must therefore be taken before deciding to
move to the cloud:
Require proper agreements and SLAs with clear thresholds

such as recovery times.
Obtain a full list of all the parties in the ecosystem of the

cloud (which parties are involved?).
Identify applicable regulations on data, data protection and

privacy on all physical locations of your data in the cloud. Take
adequate legal measures.
Arrange for escrow.

Require open data formats and open standards where pos-

sible.
Demand right-to-audit where possible.

Defne exit/migration strategy.

Make sure that a risk analysis is performed in advance.

Conclusion
Te share of IT expenditures allocated to cloud computing –
notwithstanding the hype – is still marginal in terms of total
spending on automation, and traditional, on-premise IT will
be the dominant factor for the time being. Yet the emergence
of cloud computing cannot be ignored: its growth is impressive
and the model itself can be seen as the next phase in the process
of centralization and consolidation of IT that began during the
last decade. CRM, e-mail and storage from the cloud are already
becoming de facto standards in automation, and more services
will follow.
Te impact of cloud computing on the degree of fnancial assur-
ance should be put into perspective. On the one hand, cloud
computing is mainly based on technologies that already exist,
such as virtualization and web services, so existing IT risks
apply. On the other hand, cloud computing has characteristics
that considerably afect the risk profle, compared to the tradi-
tional, on-premise IT. Tese characteristics are:
external data storage and processing;

sharing of IT resources with other customers (multi-tenan-

cy); and
dependency on the public internet.

When we look at the main factors related to assurance in fnan-
cial statements, namely access control and authorization,
change management, and backup and recovery, we can deter-
mine that cloud computing harbors risks for the customer and
challenges for the auditor.
Discrepancies between access control and authorization
requirements of the customer and of the cloud computing serv-
ice provider in technical and process-related felds can strong-
ly infuence the degree of assurance. Methods to integrate dif-
ferent directories are in their early stages of development while

web services. cloud computing can indeed be denoted as “old wine in new bottles. Secondly. public broadband networks have become abundant and readily available at reasonable cost. applications.or hardware installations. Some speak of “applications on the internet” or “computational style in which IT provides scalable and flexible capabilities as services to external customers through the use of internet technology. From a technological perspective.” Obviously. hence the term cloud computing. As a rule. Well-known examples of cloud computing are Gmail. whether it is an application or storage. platforms or infrastructure) is independent of use of these resources. and from the viewpoint of the customer. some providers have expanded the scale of their IT resources enormously. analysts and academics is mainly due to the fact that cloud computing does not only involve technological but also important business elements. making them the major players in the cloud computing market of today. descriptions and opinions on cloud computing.” Figure 1: Statement based on responses of 125 decision-makers ([KPMG10]) change management. cloud computing does not require upfront investments (capital expenditures) unlike the traditional. The business principle of cloud computing is based on the fact that possession/ownership of IT resources (i. have been refined. on-premise IT. the commercial provision of IT services over the internet on a large scale from shared pools of IT resources has only become economically viable due to three relatively recent developments. the steadily progressive shift from locally installed and maintained IT (also known as on-premise IT) to the cloud makes it necessary for potential customers to be adequately informed. Hotmail and Apple’s MobileMe. of which virtualization and web services are the most important.” while others qualify it with terms such as “old wine in new bottles. on-premise systems. IT resources. the sharing of IT resources and dependency upon the public internet. However. in particular concerning financial statements? • What steps should be taken? This article will provide answers to these questions. Google Apps. Since ASPs (Application Service Providers) have been providing IT applications over the internet for more than a decade. Thirdly.Compact_ IT Advisory 47 The reason why this seemingly simple concept is explained so differently by IT providers. For them.e. there is a lack of consensus and a lot of confusion on what cloud computing actually is. the above-mentioned technologies. backup and recovery) have different risk profiles in the cloud than they have when they are part of traditional. standardized and widely applied during the last five years. Therefore. In cloud computing. What is cloud computing? Definition A search using Google or Bing delivers a multitude of definitions. Simply stated. information about the following key issues is important: • What is cloud computing? • How does cloud computing impact the degree of assurance. shared data caches. The internet is often metaphorically depicted as a cloud. The customer only needs access to the internet. and grid computing. In theory. Firstly. remain the property of the cloud service provider. cloud computing means external data storage on the cloud provider’s premises. customers only pay for the use of the IT service without requiring local soft. Figure 2: On-premise IT versus cloud computing ([KPMG10]) . cloud computing means the provision of IT services from shared resources via the internet. cloud computing is based upon already existing technologies such as virtualization.

memory. Generally. At the software layer. data is stored and processed outside the customer’s domain at the cloud service provider’s location(s). cooling. or specific infrastructure components can be utilized for on-premise processes (see Figure 3). Additional platform elements and software have to be installed by the customer. Infrastructure-as-a-Service (IaaS) provides technical infrastructure components (e. In either form. In contrast to the vast majority of onpremise IT.g. and types Cloud services can be offered at various layers of IT. cloud service providers specialize in one or two layers only. it is highly questionable whether this type can truly be called cloud computing. cloud computing has the following characteristics: • External data storage and processing. application frameworks). by multiple customers. Unlike on-premise IT. such a service is called Software-as-a-Service (SaaS). on-premise IT.g. supporting staff) with cloud computing. physical facilities. Contrary to on-premise IT. • Elasticity. characteristics. additional software must then be developed or installed by customers. • On-demand services. Platform-as-a-Service (PaaS) provides IT services at the platform level (e. CPU. Customers pay for a service (pay-asyou-go or subscription) instead of licenses and/or hardware.48 Assurance in the cloud Figure 3: Different layers of cloud computing ([KPMG10]) Layers. in this case. any such notion of an internal cloud will not be discussed in this article. Figure 4: Different types of cloud computing ([KPMG10]) . • Multi-tenancy. storage. Multi-tenancy may be limited to a select group of customers or even a single customer. the primary infrastructure of cloud computing is the public internet. Therefore. • Internet dependency. This form of private or dedicated cloud computing represents an alternative to the public cloud. Although leased lines and proprietary networks can be used for cloud computing.g. Depending on the layer. to a certain degree. although there is always a degree of multi-tenancy (e. which has a high degree of multi-tenancy. Cloud services can be easily upscaled and downsized. cloud services can be used almost instantly. operating systems. network).” Since this internal form of cloud computing is fully dependent on internal. resources are shared. customer data is stored at the provider’s location(s). Some providers offer private cloud computing solutions in which an organization’s internal IT department uses cloud computing technologies to create an “on-premise cloud. • Contracted services.

Ideally. and the promised cost savings rarely turned out to be achievable. The customer is only required to conduct functional tests and decide on acceptance. there are considerable savings in terms of hardware. The costs passed on to customers are relatively low due to the economies of scale of most cloud service providers. annoying updates to IT systems are a thing of the past. the customer only defines a set of specifications and requirements. efficient use of (shared) resources. required IT services are obtained over the internet. Cloud services can be purchased and used quickly since installation has already been done by the provider. including all associated requirements to manage the IT resources. Consequently. Companies can regain authority over their business. Cloud computing also has the advantage of keeping software development and updates largely out of the customer’s sight. software and IT personnel. and the management costs for making the services continuously available are borne by the provider. as the IT resource remains in the possession of the provider. Although subscriptions are still the rule.Compact_ IT Advisory 49 Figure 5: Benefits of cloud computing based on responses of 125 decision makers ([KPMG10]) Drivers of cloud computing More flexibility The success of cloud computing is partly due to the fact that the traditional. Cost-savings IT operational costs can be reduced significantly by adopting cloud computing. This is in stark contrast to the lengthy and risky deployment projects that are so typical of on-premise IT ([KPMG10]). air conditioning and electricity. charges only apply to the use of the IT service. All installations actually take place on the provider’s servers. server rooms. Cloud computing seems to offer the ideal solution in this respect. according to which the provider implements the updates and changes on the relevant parts of the IT environment. and the costs are transparent and relatively easy to control. including hardware. costly and risky implementations of on-premise IT resources. With cloud computing. since this model’s initial investments (capital expenditures) are marginal compared to the costs that are involved with large-scale. Moreover. A recent survey by KPMG revealed that nearly 60 percent of cloud computing customers feel flexibility is the most important benefit. on-premise IT is increasingly being confronted with technical limitations and complexity while the costs of implementing and maintaining IT systems are scarcely kept under control. and centralization of expertise. Outsourcing and offshoring have only partially solved the problems. it enables companies to phase parts of their IT. construct physical facilities and provide security. “pay-as-you- .

cloud computing can be seen as the next phase in this process and part of the paradigm shift in automation from locally installed/managed IT towards centralized delivery and shared use of services ([KPMG10]. thus improving the scalability of IT. cloud computing solutions can easily be scaled up and down. due to depreciation. however. the emergence of cloud computing cannot be ignored: it is growing between 20 and 40 percent per year. enabling the customer to pay each time the service is employed. In this respect. including Europe. In contrast to on-premise IT. Into perspective Notwithstanding the valid drivers of cloud computing and the hype. cloud computing should be put into perspective. [OECD10]). traditional. The costs of local facilities will. Yet. supposing that demand remains constant. The share of IT expenditures allocated to cloud computing is still marginal. the lower the relative advantage of cloud computing in relation to onpremise IT. From locally installed IT. it should be noted that. By using various types of virtualization and load-balancing. can be considered as peripheral. and unnecessary overhead is avoided. Figure 6: Scalability of cloud computing ([KPMG10]) . the move towards centralization and consolidation of IT resources and management is a process that has been taking place since the turn of the millennium.50 Assurance in the cloud go” has come into vogue recently. Depending on the analysis. and outsourcing/offshoring. No matter how popular cloud computing is in our social lives (Facebook and Gmail as typical cloud services). with the US as the leading outlet of cloud services (60 percent). Still. the share allocated to cloud computing as of 2010 is between 2 and 4 percent. the costs of cloud computing remain constant throughout the life cycle of the relevant IT resource. customers only pay for what they use and the required IT capacity is always available (in theory). diminish gradually. IT capacity is never idle and never scarce. Combined with the “pay-as-you-go” or subscription models that are common to cloud computing. The longer an IT resource is used. despite (or perhaps thanks to) the economic low tide. the rest of the world. on-premise IT will be the dominant factor ([KPMG10]. The advantage of pay-as-yougo is that payment is only made for services that are actually used. Better scalability Cloud computing also offers the advantage of being able to adjust the use of IT resources either upwards or downwards. large-scale adoption of cloud computing by the corporate community is yet to come. For the time being. Moreover. [OECD10]). The cost-savings of cloud computing are therefore highly dependent on the duration of the product life cycle. although the initial costs of cloud computing are significantly lower than on-premise IT. Then came the waves of hosting applications on external platforms and infrastructure. at least until 2015. many companies chose to set up Shared Service Centers (SSH) in order to make more efficient use of their IT.

On the other hand. such as Twinfield and NetSuite. Recently. have a well-established reputation amongst mid-sized companies. Amazon’s Elastic Cloud fell prey to Botnets. all three characteristics related to the risk profile of cloud computing apply. Risk profile Cloud computing is not devoid of dangers. Multi-tenancy requires Figure 7: Paradigm shift ([KPMG10]) The impact of cloud computing on assurance Relevant factors The number of cloud services that are mature and proven is rather limited. As a matter of fact. e-mail. Generally. these are the most important IT topics for investigation within the scope of financial audits. thus increasingly relevant to the issue of assurance provided in financial statements. even financial software services from the cloud will become common in the near future. Salesforce. customer data stored at the cloud computing provider’s location was. The off-premise nature of the cloud means that the customer depends on the provider’s technology. although CRM. as the provider owns and manages the IT resources in the cloud. These characteristics are: • external data storage and processing. Given this impressive pace of development and growth. SaaS for accounting purposes. data segregation and web services. “office” software. The risks of cloud computing should be put into perspective. and • backup and recovery. on-premise IT. the foremost providers (Google. It will take a while before ERP at Fortune 500 companies will move to the cloud. and • dependency on the public internet. • sharing of IT resources with other customers (multitenancy). Although the number of major incidents involving commonly used cloud services was relatively small in 2010 in relation to the number of customers. and leaks in Google’s Web Service enabled unauthorized individuals to gain access to accounts and passwords. On the one hand. in all cases to a certain degree. document sharing and storage as cloud services are gaining a stronghold in the market. So existing IT risks apply. cloud computing is mainly based on existing technologies such as virtualization.com. All this emphasized at least one crucial point: the customer is strongly dependent on. weaknesses in Hotmail were exposed by hackers. • change management. compromised. if not entirely at the mercy of. Amazon and Microsoft) have all had to remedy several critical vulnerabilities in their cloud offerings. the following factors must be taken into consideration: • access control and authorization. albeit the controls and mitigating measures largely belong on the provider’s side. particularly in financial statements. personnel and processes. Table 1: Characteristics impacting risk profile . the maturity of the cloud service provider.Compact_ IT Advisory 51 When we focus on the specific impact of cloud computing on the degree of assurance. but the rise and expansion of cloud services is imminent. Access control & authorization Concerning access control and authorization. cloud computing has characteristics that considerably affect the risk profile compared to the traditional. who were able to obtain illegal access to thousands of accounts. Although these incidents were caused by various technical and process-related weaknesses.

especially when authentication of the cloud service is weaker than the customer’s requirements. tokens and/or authentication using biometric factors) are limited. (open) standards for authorizations on computer systems are still in their development stages. Specific solutions are available (even in the form of cloud services!) that connect the internal authentication mechanism (usually MS Active Directory) to the provider’s own authentication mechanism. but the integration of security often results in compatibility issues and unclear responsibilities. Almost all cloud services offer their own forms of authentication. Integration with existing internal IT services and between different cloud-computing providers may entail significant integration problems and increase complexity. with the result that the integrity and confidentiality of (financial) data is harmed. the cus- .000 computer users) organizations. mitigating the indicated risks will mainly involve the area of process integration. thus affecting security. with negative consequences for the level of assurance. the chain of which is only as strong as its weakest link.0 provide sufficient latitude for a range of interpretations. which may or may not be supplemented by an RBAC tool. divergent degrees and forms of authentication. Similar harmonization may also be a solution for private cloud services. But this technology is also relatively new and not widely used on the market. Not only are there multiple solutions. In practice. Microsoft offers Active Directory Federation Services in order to integrate various Active Directories across multiple organizations. and its track record is limited. a user account based on a specified convention. Single-Sign-On technology may in some cases be applied to establish a consistent form and strength of authentication. In the case of public cloud services. and separation of data instances. authorization.g. complexity of integrating control processes. authentication services over the internet is a niche market still in development. resulting in too many permissions and possibly infringing segregation of duties. can lead to weaknesses in the IT environment. not directly compatible with the customer’s requirements and wishes.g. inconsistent processes and higher complexity. Users should not be forgotten here. and 3. This complexity is increased by cloud services that use different procedures and/or other technologies to facilitate these processes. The strength of authentication is usually fixed. Multiple log-ons with multiple tokens and/or smart cards can be a very annoying experience. thus hindering integration of different solutions. this process has weaknesses such as obsolete but still active accounts. They can range from a combination of account and password (2-factor) to stronger forms. In most large (more than 5. and additional possibilities for authentication (e. customers are confronted by three issues: 1. not to mention an additional management burden for the organization. but it is generally difficult to implement. This situation therefore increases the risk of additional management costs. Lack of integrated processes can result in further weak points. Integration between different IT environments is therefore complex and still undergoing radical development. An effort is also being made to harmonize provider and customer processes regarding access control and authorizations. After all. Moreover. The public internet involves multiple access points from countless locations. Besides that. changing and disabling/deleting computer accounts) and authorization (who and/or which roles have which permissions for which data) of internal IT resources are complex and open to improvement. such as a combination of account and password in association with a token (3-factor). two or more forms of authentication are being purchased and managed. This complexity also applies to other security mechanisms. Both Active Directory and the RBAC tools are designed for an on-premise IT environment. Often authorizations for role/function changes within the organization include new permissions while the old permissions have not been removed. and often easy to circumvent insofar as cloud services are concerned. Given the technology currently in development. This obviously requires additional investment and expenditure on controls. Authorization mechanisms for more than 90 percent of purchasing organizations are based on the Security Groups and Group Policy Objects in Active Directory. In practice.52 Assurance in the cloud an advanced level of authentication. as many cloud services can be accessed directly from various access points on the internet. the processes for user management (creating. while protocols such as SAML 2. Cloud services have their own access control and authorization processes that are. especially for public cloud services. cloud-service authorization mechanisms tend to be independent of those of the internal IT environment. in principal. seldom fully applicable to all IT services. which are exceptionally difficult to control. in conjunction with a password) is not applicable to cloud services. technical complexity of integrating authentication mechanisms. 2. Frequently. there is a high risk of incurring additional costs and management expenses. They have to log-on using extra and possibly other means of authentication in order to gain access to IT services. When the required/desired form of authentication (e. Different authentication strengths. For example.

. how a change is tested and how it is approved. In practice. the auditor is faced with the problem that current frameworks. Few providers are openly transparent about the ways in which they manage changes on their systems and only provide useful information about future releases on their cloud services. such as ISO27001/2.Compact_ IT Advisory 53 Table 2: Cloud computing risks to access control & authorization The principle of multi-tenancy has the advantage of outsourcing complex change management to a specialist as well as more efficient way of implementing changes (one change which applies for multiple customers). undesirable changes cannot. In principle. A right-to-audit is recommended in these cases. • Define clear technical requirements. that is: offering transparency. Although this especially applies to public cloud services. Moreover. Insufficient assurance from the provider can therefore constitute a reason to (temporarily) refrain from using cloud services. Secondly. • Define exit/migration strategy. are hardly suitable for multi-tenant environments. • Perform technical pilot studies prior to selection. but only a minority of providers engage independent parties to regularly perform external audits. Unlike on-premise IT. especially when the service has a high degree of multitenancy. It is therefore recommended that the following steps be taken before moving to the cloud: • Identify current processes for user management. Few requests for audits are honored and many auditors lack the technical knowledge and experience with the architecture to evaluate cloud services on their proper merits. tomer will have to submit to the provider’s processes. Many of the controls necessary to ensure segregation of the data and resource utilization of various customers are not selected and therefore rarely audited. Good SAS70 – after mid 2011 SAS70 standard will be replaced by ISAE 3402 standard – reports seem to offer a solution to this issue. this factor must be included in the business case. this also means that the customer only has limited influence on the changes in the cloud services that it purchases. but the number of initiatives remains large without any of the frameworks being widely accepted on the market. be undone for a single customer. IT resources on the provider’s premise means. The disadvantage is that the customer depends entirely on the provider’s willingness and capacity to perform the required/ desired changes. but its exercise is reserved for the most wealthy and/or influential customers. the provider supplies all patches. the selected IT controls are often based on single-tenant structure and not the multi-tenancy characteristic of cloud services. most private clouds are also highly standardized compared to on-premise environments. there is a persistent lack of clarity regarding how and on what grounds changes are initiated. and keeps the IT environment available. Generally. new versions. • Define the future integration of technical architecture before making a choice. especially in terms of (open) standards. Furthermore. two characteristics related to the risk profile of cloud computing apply. how the impact analysis is conducted. authentication and authorization. • Define clear requirements regarding management processes. change management in the cloud is primarily not the customer’s responsibility but that of the cloud service provider. that changes on the IT environment with potential impact on the data are no longer controlled by the customer but by the cloud service provider. Moreover. it turns out that the limited control over and grip on changes does not impact the degree of assurance as much as the extent to which the provider grants access to its change management processes. in the first place. thus limiting the degree of customization and desired time frame of changes. Multi-tenancy implies that each change has impact on multiple customers. in general. In any case. Change management Concerning change management. especially concerning authorization management. New frameworks with new IT controls are currently being formulated.

many data in the cloud is in proprietary formats of the provider in question. A right-to-audit with regard to backup and recovery is recommended. Secondly. • Demand right-to-audit where possible. the use of subcontractors has also become a problem plaguing the cloud. Thousands of customers lost their data in the cloud due to the infamous “Sidekick Disaster” at Microsoft and T-Mobile in 2009. a portion of the cloud services is subsequently outsourced by the provider to other cloud computing providers. Often. Backup & recovery Backup and recovery in the cloud also depend on measures taken by the provider. . open data formats which can be interchanged (theoretically) between different technical solutions are seldom enforced and as of 2011. Several major incidents have demonstrated that not all data in the cloud is backed up adequately. Firstly. For example. it is better to require transparency from the provider prior to making the purchase. Therefore. the backed up data can be instantly recovered and its availability quickly restored. This was a violation of US legislation as it is prohibited to store medical records with personal data outside the US. the market has yet to elaborate on legal and technical implications. The issue becomes critical when the cloud computing provider is no longer able or no longer willing to make the customer’s data available to the customer. Table 4: Cloud computing risks to backup & recovery . For instance. The US provider had in fact outsourced its archiving activities to an Indian company without informing its customer. in case of emergency. it turned out that Microsoft and T-Mobile did not fully back up the data of their customers. It is not uncommon for backups and archiving to be performed by other (specialist) providers in different geographical locations with different regulations concerning data storage.Make sure audits are performed by experienced auditors understanding cloud services.Use additional controls which apply for multi-tenant environments. data protection and privacy. In violation of agreements. Apart from – often standardized – reports on backed up data.54 Assurance in the cloud Table 3: Cloud computing risks to change management It is therefore recommended that the following steps be taken before deciding to move to the cloud: • Identify change management controls with regards to applicable rules and regulations. In addition. customers have to assume that. Possibilities for escrow exist. the part that had been secured only became available after several days. but besides the technical implications concerning recovery of data in the proper format and media. Furthermore. • Define clear requirements regarding the change management process. customers have to trust that the providers actually back up their data and store it in a safe place under proper storage conditions. auditing a multi-tenant environment requires specific expertise by auditors regarding architecture and technology which is sparsely available. . but in practice. only a few requests for audits will be honored. an important part of the data from a US hospital using a cloud service offered by a US provider turned out to be archived in India. Besides the issue of failing or missing backups. it is practically impossible for large providers to have their IT environment constantly audited by thousands of different requests.

even in the domain of financial business processes. on-premise IT. • Make sure that a risk analysis is performed in advance. and more services will follow. KPMG. Schneier on Security. Awareness of this paradigm shift followed by adequate risk management will be a critical success factor. • Arrange for escrow. Conclusion The share of IT expenditures allocated to cloud computing – notwithstanding the hype – is still marginal in terms of total spending on automation. the customer must be aware that data is not necessarily stored just on the premises of the primary provider and that data recovery may be subject to significant technical and legal complications. which occurs virtually out of the customer’s sight and control. On the other hand. March 2010. The rise of cloud computing is seemingly unstoppable. As we speak. on-premise environments to the cloud. 2010. change management. • Obtain a full list of all the parties in the ecosystem of the cloud (which parties are involved?). • Identify applicable regulations on data. OECD. • Demand right-to-audit where possible. CRM. 2010. e-mail and storage from the cloud are already becoming de facto standards in automation. on occasion it will be exceptionally difficult or even impossible to implement these mitigations. KPMG. Privacywetgeving belemmert cloud computing. data protection and privacy on all physical locations of your data in the cloud. Take adequate legal measures. and traditional. 2009. KPMG. namely access control and authorization. as a right-to-audit is rarely granted by big providers and current audit standards lack specific controls related to cloud services. Discrepancies between access control and authorization requirements of the customer and of the cloud computing service provider in technical and process-related fields can strongly influence the degree of assurance. the same applies to change management. so existing IT risks apply. • Define exit/migration strategy. on-premise IT will be the dominant factor for the time being. [OECD10] OECD Information Technology Outlook 2010. From Hype to Future: KPMG’s 2010 Cloud Computing Survey. 2010. • Require open data formats and open standards where possible. the customer must have an exit/migration strategy ready at all times. With regard to backup and recovery. ISACA Emerging Technology White Paper. 2008. The impact of cloud computing on the degree of financial assurance should be put into perspective.Compact_ IT Advisory 55 The following steps must therefore be taken before deciding to move to the cloud: • Require proper agreements and SLAs with clear thresholds such as recovery times. and backup and recovery. enabling it to switch to alternatives at any moment. 2009. [KPMG10] KPMG Advisory. and • dependency on the public internet. Audit in the Cloud. On the one hand. Governance and Assurance Perspectives. Automatisering Gids. compared to the traditional. Although measures can be taken to mitigate the risks of cloud computing. In any case. Cloud computing als panacee. [Chun10] Mike Chung. such as virtualization and web services. When we look at the main factors related to assurance in financial statements. • sharing of IT resources with other customers (multi-tenancy). organizations are already moving their applications from their traditional. Methods to integrate different directories are in their early stages of development while standards to align multiple cloud solutions are yet to be determined. we can determine that cloud computing harbors risks for the customer and challenges for the auditor. Yet the emergence of cloud computing cannot be ignored: its growth is impressive and the model itself can be seen as the next phase in the process of centralization and consolidation of IT that began during the last decade. A thorough risk analysis in association with the development of a business case prior to the adoption of cloud computing is a matter of course. [Isac09] ISACA. References [Chun09] Mike Chung. These characteristics are: • external data storage and processing. [Schn09] Bruce Schneier. [Shaz10] Shay Uzery and Joep Ruiter. . cloud computing has characteristics that considerably affect the risk profile. Cloud Computing: Business Benefits With Security. In terms of process. cloud computing is mainly based on technologies that already exist.

Sign up to vote on this title
UsefulNot useful