But its only a matter of time.
Simply put, the cloud is comprised of services you may rely upon, but which are not run on your own premises - and which largely use the capabilities of the Web for delivery. From a personal perspective, I began engaging the cloud when I let my domain name expire, quit paying for an ISP for my old website, and began relying on Blogger to provide space for my thoughts. I did it again, when I shifted my personal calendar to Google Calendar.
Company's do it when the shift to tools such as Salesforce.com, which is a Customer Relationship Management (CRM) tool that lives within the cloud and is emblematic of the technology. Indeed, Bill Gates publically predicted the global use of something like the cloud in about 1998, as I recall. Of course, the idea that we wouldn't buy disks from the store and "load" the software seemed pretty scary then. "Who would have my data?, you're kidding right?"
Within the cloud, according to Leslie (and the profession) there are three categories of service.
- SaaS - Software as a Service. The personal tools (Google Calendar, Blogger, Jotform, etc.) that I'm using are generally regarded as SaaS.
- PaaS - Platform as a Service. The underlying Google App engine is the canonical example.
- IaaS - Infrastructure as a Service. Not dissimilar from using an external hosting environment, except that it uses cloud computing for the infrastructure. Amazon's online backup is an example of this.
Of course, for auditors the control questions these kinds of new approaches raise can seem daunting.
How do we make sure our data is safe? Can we be sure its not being tampered with? What is the service's reliability? While it is neat to be able to access our data from anywhere, what about access speed? Change management. Are we going to be held hostage? Business Continuity-disaster?
She had a number of very full slides detailing these and many more cloud-related risks.
However, as she went through them she began to ask whether these were "new" risks. Risks that IT auditors would, as she put it, "need to go back to school on."
The answer, by the end of her presentation was definitely, "no." In the end, though the tools and tactics are changing, the control objectives are not.
What was interesting, and it generated a bit of discussion before time cut it off, is whether the traditional 3rd party assurance methodologies on which we have relied in the past will be up to the task. For example, one camp suggested that the traditional SAS-70 regime will be innadequate in a cloud environment.
Indeed, there would appear to be a number of layers of responsibility in such a computing model. It may be necessary to dig fairly deeply to figure out all the infrastructure and application providers on which we would be relying.
A SAS-70 cloud, perhaps?
Or would our contracts require that we send our auditors into the cloud to obtain assurance. The VP from Sun suggested that, to an extent, this is what they did and it cost them money initially to demand a certain level of assurance. However, she did note that Sun provides much of the actual behind-the-scenes infrastructure to these services, so they have a unique position from which to view the risk landscape.
On the other hand, another camp suggested that just as the risks have not fundamentally changed, so too the tools for covering them remain the same. The argument was made that SAS-70's are customized tools to begin with, and need only receive normal adjustment to comprehend these emerging risks.
I'll resist the temptation to pull a Kent Brockman (The Simpsons news anchor) and say, "only time will tell." Instead, let me say that I welcome comment on this issue.
-- Prescott Coleman, CIA, CISA
No comments:
Post a Comment