CFIT MeetingJune 17, 2011Cloud Assurance
“The transformation to a true ‘digital enterprise’ will be the business challenge of the next decade. To achieve this, I see the implementation of a flexible, software based process layer across company departments, suppliers, and partners as the key enabling technology. This transformation has already started and today we are radically changing the way our customers do business. We are opening a whole new world of business models and business opportunities to them.”
Karl-Heinz Streibich, CEO, Software AG
“Going forward, we’ll see complete self-service and agility — as a user you should have the quickest, shortest path to getting whatever you want. This shift has been coming in bits and pieces, but now they’re coming together.”
Shekar Ayyar, Head of Strategy, VMware
PwC
Strategy
Structure
People
Process
Technology
Entire industries are going through a transformation that leverages cloud capabilities…
and with any transformation comes the need to manage change and
mitigate risk
Business benefits
Consumer
loyaltyRevenue
growth
Risk and compliance
Cost reduction
Cloud Computing
Enhanced customer
expectations
Newbusiness models
PwC 3
Why “Go Cloud?”
Benefits
Business Imperative
Go To / Use the Cloud
•Cost Savings•Innovation•Agility•Efficiency
• Customer Expectation
• Industry Shift
• New revenue streams
• Scalability
PwC
Realization that the cloud changes industry
Source: Business Insider “How Netflix Bankrupted And Destroyed Blockbuster”, March 2011
2000: At $6B Blockbuster declined to purchase
Netflix for $50M(2011: now Blockbuster is for sale for $290M)Blockbuster owes
$21.6M Fox$20M Warner$13.3M SonyClosed 1/3 stores
Yesterday
Downstream Internet Traffic
20% Netflix users
9.89%Youtube users
Today
It’s more than the technology.
It’s the reality of the need to innovate, transform and
optimize businesses.
It’s the business partner's need to
change interactions and expectations as a result of cloud-based
businesses change.
Tomorrow
+
PwC 5
Recent predictions of Cloud Computing growth
“Gartner predicts that by 2015, 80% of enterprises using external cloud services will demand independent certification that providers can restore operations and data. “
“Infonetics Research is forecasting spending on security-related SaaS applications will experience a compound annual growth rate of 31% through 2014.”
“Cloud Computing was the
#1 inquiry topic from Gartner clients in 2010.”
“MarketsandMarkets.com predicts that the global cloud computing market is
expected to grow from $37.8 billion in 2010 to $121.1 billion in 2015 at a CAGR of 26.2% from 2010 to 2015.”
“Renub Research predicts Worldwide Cloud Computing market is growing at a rapid rate and it is expected to cross $25 Billion by the end of 2013 .”
“Joe McKendrick at ZDNet states that “very soon, a third of all software will be delivered via cloud.
“Gartner predicts by 2015, 20% of non-IT Global 500 companies will be cloud service providers.”
“At the Cloud Connect conference Vijay Bhagavath, technology equity researcher for Deutsche Bank, estimates investment in ‘private clouds’
could be a $20 billion dollar opportunity by 2012.”
PwC 6
Managing Change in Moving to the Cloud
Have a clear understanding of the current
process
Clearly articulate the
expected outcome and
benefits of the move
Identify, communicate and address
lost capabilities
Establish new responsibilities
Assess change in control and
compliance
Adapt capabilities of
personnel
Moving to the cloud requires
ongoing preparation,
planning, management and oversight
You still maintain
responsibility of processes
after the move
PwC 7
Managing Change in Moving to the Cloud
•Depending on the “XaaS” cloud offering, the nature of processes moved to the cloud may require different skills internally
Adapt capabilities of personnel
•Moving to the cloud successfully means not losing any capability. Understand current outcomes, including governance and control
Have a clear understanding of the current process
•Service level agreements should reflect specific expectations for services, metrics and responses for non-achievement
Clearly articulate the expected outcome and benefits of the
move
•With standardization of most “XaaS” solutions, changes in internal processes may be needed to fill any gaps
Identify, communicate and address lost capabilities
•Update job descriptions, training, performance metrics and documentation
Establish new responsibilities
•Inventory requirements to determine information and control assessment needs from service provider
Assess change in control and compliance
PwC 8
Cloud Assurance – Setting the Stage
Cloud computing’s potential to lower IT costs and boost efficiencies is unprecedented, however, the reliability of cloud service providers is all but unmeasurable.
In PwC’s 2011 Global Information Security Survey, 14% of respondents who had experienced a data breach cited negative impact to brand or reputation—a business impact that has increased 180% in the past three years.
Recent examples of data loss, data privacy breaches and availability – Epsilon, Sony Entertainment, Amazon EC2 – to name just a few, continue to remind cloud consumers of the risks.
For many organizations, the risk to brand reputation is simply too big to ignore.
Among customers, concerns about the cloud’s risks – security, privacy, availability, and data protection, to name a few – have created an atmosphere in which uncertainty and risk are top of mind.
Currently, there is no comprehensive framework for cloud controls that enables potential cloud customers to confidently assess and verify a cloud provider’s controls and environments.
This lack of reliable control framework has opened a trust gap between cloud providers and customers, and that has impeded the advance of cloud computing.
PwC 9
Cloud Assurance – What exists today
Currently, most cloud customers are gathering information through a series of highly inefficient activities often led by vendor management or procurement functions:
•Provider self-assessments, typically focus on security policies
•Responses to customer-prepared questionnaires
•Service level agreements (SLAs) describing the provider’s obligations
•Third-party SAS 70 (now SSAE 16) reports
•Other certifications – PCI, ISO 27002, HIPAA, FISMA, etc. These efforts have been largely unsuccessful because they do not address comprehensively address the service offering and the relevant compliance requirements from the perspective of the customer’s needs or expectations
•A globally recognized framework of controls and standard for reporting may come in time, but cloud adopters need something sooner
PwC 10
Cloud Assurance – Looking forward
Consideration Point
AICPA Service Organization Reports Custom Attest
SOC 1 / SSAE16 (Replacement for
SAS70 6/11)
SOC2 SOC3
AICPA suggested scope
Controls relevant to report users’ financial statements
Controls relevant to compliance or operations, which could include (*)•Security•Availability and processing integrity •Confidentiality•Privacy•Data integrity and ownership
(*) Use of AICPA Trust Principles Required
Management defined
Can include controls relevant and unique to•Operations,•Billing,•Technology•Security,•Privacy•and beyond
Intended Audience Restricted; limited distribution General Use (with public seal); unrestricted distribution
Generally restricted distribution but may be unrestricted
Content of Report •Description of service organization's system•Description of controls•PwC opinion on:
•fairness of presentation of description•Control Design (Type I and II)•Control Effectiveness, including description of PwC’s test of controls and results (Type II only)
•Unaudited system description•PwC opinion of controls effectiveness
•Description of mgmt assertions & control objectives •List of criteria PwC evaluated•Description of controls•PwC opinion
AICPA Audit Standard SSAE 16 AT 101, Attest Engagements
PwC 11
Summary - Plan for Success
•Understand rationale for adopting cloud
•Engage with relevant functions leaders to identify changes
•Review impacted business activities in ‘as is’ and ‘to be’ state
• Assess capabilities of existing personnel to manage transition and to perform roles in new state
•Treat the move as a “process” not a project
•Assess risk and build a plan to manage accordingly
PwC 12
Thank you
Cara BestonCloud Assurance [email protected]
Cara is the National Technology sector leader for PwC’s Risk Assurance practice based in San Jose, CA. She is also a member of PwC’s national Cloud Action Committee and the firm’s representative to the Cloud Security Alliance. She specializes in IT and process risk and control assurance services to IT, Internal Audit, finance and business leaders in the Technology sector. Prior to joining the Risk Assurance practice, Cara has spent 15 years serving the financial accounting and reporting needs of clients across a broad array of clients and sectors including manufacturing, real estate, financial services and technology. In her 2w years with PwC, Cara has served over 80 technology clients, including key Cloud enabling enterprises, Cisco Systems, VMware, 3Par, SaaS providers, and a number of on-line businesses including Shutterfly, CBS Interactive, Zappos.com and others. Cara graduated summa cum laude from Bridgewater College, MA and is a member of the AICPA. She lives in Pleasanton, CA with her husband and 3 children.
Top Related