CFIT MeetingJune 17, 2011Cloud Assurance

“The transformation to a true ‘digital enterprise’ will be the business challenge of the next decade. To achieve this, I see the implementation of a flexible, software based process layer across company departments, suppliers, and partners as the key enabling technology. This transformation has already started and today we are radically changing the way our customers do business. We are opening a whole new world of business models and business opportunities to them.”

Karl-Heinz Streibich, CEO, Software AG

“Going forward, we’ll see complete self-service and agility — as a user you should have the quickest, shortest path to getting whatever you want. This shift has been coming in bits and pieces, but now they’re coming together.”

Shekar Ayyar, Head of Strategy, VMware

PwC

Strategy

Structure

People

Process

Technology

Entire industries are going through a transformation that leverages cloud capabilities…

and with any transformation comes the need to manage change and

mitigate risk

Business benefits

Consumer

loyaltyRevenue

growth

Risk and compliance

Cost reduction

Cloud Computing

Enhanced customer

expectations

Newbusiness models

PwC 3

Why “Go Cloud?”

Benefits

Business Imperative

Go To / Use the Cloud

•Cost Savings•Innovation•Agility•Efficiency

• Customer Expectation

• Industry Shift

• New revenue streams

• Scalability

PwC

Realization that the cloud changes industry

Source: Business Insider “How Netflix Bankrupted And Destroyed Blockbuster”, March 2011

2000: At $6B Blockbuster declined to purchase

Netflix for $50M(2011: now Blockbuster is for sale for $290M)Blockbuster owes

$21.6M Fox$20M Warner$13.3M SonyClosed 1/3 stores

Yesterday

Downstream Internet Traffic

20% Netflix users

9.89%Youtube users

Today

It’s more than the technology.

It’s the reality of the need to innovate, transform and

optimize businesses.

It’s the business partner's need to

change interactions and expectations as a result of cloud-based

businesses change.

Tomorrow

+

PwC 5

Recent predictions of Cloud Computing growth

“Gartner predicts that by 2015, 80% of enterprises using external cloud services will demand independent certification that providers can restore operations and data. “

“Infonetics Research is forecasting spending on security-related SaaS applications will experience a compound annual growth rate of 31% through 2014.”

“Cloud Computing was the

#1 inquiry topic from Gartner clients in 2010.”

“MarketsandMarkets.com predicts that the global cloud computing market is

expected to grow from $37.8 billion in 2010 to $121.1 billion in 2015 at a CAGR of 26.2% from 2010 to 2015.”

“Renub Research predicts Worldwide Cloud Computing market is growing at a rapid rate and it is expected to cross $25 Billion by the end of 2013 .”

“Joe McKendrick at ZDNet states that “very soon, a third of all software will be delivered via cloud.

“Gartner predicts by 2015, 20% of non-IT Global 500 companies will be cloud service providers.”

“At the Cloud Connect conference Vijay Bhagavath, technology equity researcher for Deutsche Bank, estimates investment in ‘private clouds’

could be a $20 billion dollar opportunity by 2012.”

PwC 6

Managing Change in Moving to the Cloud

Have a clear understanding of the current

process

Clearly articulate the

expected outcome and

benefits of the move

Identify, communicate and address

lost capabilities

Establish new responsibilities

Assess change in control and

compliance

Adapt capabilities of

personnel

Moving to the cloud requires

ongoing preparation,

planning, management and oversight

You still maintain

responsibility of processes

after the move

PwC 7

Managing Change in Moving to the Cloud

•Depending on the “XaaS” cloud offering, the nature of processes moved to the cloud may require different skills internally

Adapt capabilities of personnel

•Moving to the cloud successfully means not losing any capability. Understand current outcomes, including governance and control

Have a clear understanding of the current process

•Service level agreements should reflect specific expectations for services, metrics and responses for non-achievement

Clearly articulate the expected outcome and benefits of the

move

•With standardization of most “XaaS” solutions, changes in internal processes may be needed to fill any gaps

Identify, communicate and address lost capabilities

•Update job descriptions, training, performance metrics and documentation

Establish new responsibilities

•Inventory requirements to determine information and control assessment needs from service provider

Assess change in control and compliance

PwC 8

Cloud Assurance – Setting the Stage

Cloud computing’s potential to lower IT costs and boost efficiencies is unprecedented, however, the reliability of cloud service providers is all but unmeasurable.

In PwC’s 2011 Global Information Security Survey, 14% of respondents who had experienced a data breach cited negative impact to brand or reputation—a business impact that has increased 180% in the past three years.

Recent examples of data loss, data privacy breaches and availability – Epsilon, Sony Entertainment, Amazon EC2 – to name just a few, continue to remind cloud consumers of the risks.

For many organizations, the risk to brand reputation is simply too big to ignore.

Among customers, concerns about the cloud’s risks – security, privacy, availability, and data protection, to name a few – have created an atmosphere in which uncertainty and risk are top of mind.

Currently, there is no comprehensive framework for cloud controls that enables potential cloud customers to confidently assess and verify a cloud provider’s controls and environments.

This lack of reliable control framework has opened a trust gap between cloud providers and customers, and that has impeded the advance of cloud computing.

PwC 9

Cloud Assurance – What exists today

Currently, most cloud customers are gathering information through a series of highly inefficient activities often led by vendor management or procurement functions:

•Provider self-assessments, typically focus on security policies

•Responses to customer-prepared questionnaires

•Service level agreements (SLAs) describing the provider’s obligations

•Third-party SAS 70 (now SSAE 16) reports

•Other certifications – PCI, ISO 27002, HIPAA, FISMA, etc. These efforts have been largely unsuccessful because they do not address comprehensively address the service offering and the relevant compliance requirements from the perspective of the customer’s needs or expectations

•A globally recognized framework of controls and standard for reporting may come in time, but cloud adopters need something sooner 

PwC 10

Cloud Assurance – Looking forward

Consideration Point

AICPA Service Organization Reports Custom Attest

SOC 1 / SSAE16 (Replacement for

SAS70 6/11)

SOC2 SOC3

AICPA suggested scope

Controls relevant to report users’ financial statements

Controls relevant to compliance or operations, which could include (*)•Security•Availability and processing integrity •Confidentiality•Privacy•Data integrity and ownership

(*) Use of AICPA Trust Principles Required

Management defined

Can include controls relevant and unique to•Operations,•Billing,•Technology•Security,•Privacy•and beyond

Intended Audience Restricted; limited distribution General Use (with public seal); unrestricted distribution

Generally restricted distribution but may be unrestricted

Content of Report •Description of service organization's system•Description of controls•PwC opinion on:

•fairness of presentation of description•Control Design (Type I and II)•Control Effectiveness, including description of PwC’s test of controls and results (Type II only)

•Unaudited system description•PwC opinion of controls effectiveness

•Description of mgmt assertions & control objectives •List of criteria PwC evaluated•Description of controls•PwC opinion

AICPA Audit Standard SSAE 16 AT 101, Attest Engagements

PwC 11

Summary - Plan for Success

•Understand rationale for adopting cloud

•Engage with relevant functions leaders to identify changes

•Review impacted business activities in ‘as is’ and ‘to be’ state

• Assess capabilities of existing personnel to manage transition and to perform roles in new state

•Treat the move as a “process” not a project

•Assess risk and build a plan to manage accordingly

PwC 12

Thank you

Cara BestonCloud Assurance Partnercara.m.beston@us.pwc.com

Cara is the National Technology sector leader for PwC’s Risk Assurance practice based in San Jose, CA. She is also a member of PwC’s national Cloud Action Committee and the firm’s representative to the Cloud Security Alliance. She specializes in IT and process risk and control assurance services to IT, Internal Audit, finance and business leaders in the Technology sector. Prior to joining the Risk Assurance practice, Cara has spent 15 years serving the financial accounting and reporting needs of clients across a broad array of clients and sectors including manufacturing, real estate, financial services and technology. In her 2w years with PwC, Cara has served over 80 technology clients, including key Cloud enabling enterprises, Cisco Systems, VMware, 3Par, SaaS providers, and a number of on-line businesses including Shutterfly, CBS Interactive, Zappos.com and others. Cara graduated summa cum laude from Bridgewater College, MA and is a member of the AICPA. She lives in Pleasanton, CA with her husband and 3 children.