Organisations that have successfully implemented standalone cloud systems may feel that they have won the war against complex and expensive enterprise IT. That feeling may not last too long once these systems need to be integrated with other systems, cloud or otherwise. The minute you start integrating your cloud with these other systems, you have what is termed a Hybrid Cloud.
Your IT risks are now becoming systemic risks – a point not lost in the most recent KPMG 2012 Audit Institute Report which identified “IT Risk & Emerging Technologies” as the second highest concern for 2012
In this presentation, Rob Livingstone, suggests some practical approaches that CEOs, COOs and CFOs should be considering in the identification and mitigation of the pitfalls of Cloud computing in the enterprise.
2. Agenda
What I will be covering
1. Exploring the real definition of Cloud
2. Scope of this presentation
3. Systemic vs. Technical risks
4. Hybrid Cloud is the reality
5. Adding in mobility
6. BYOD, or Bring your own Disaster?
7. Hybrid Cloud + Mobility + BYOD Systemic Risk?
8. Standards? Which standards?
9. Orchestrating the transition
3. 1. Exploring the real definition of Cloud
The most quoted Definition of
Cloud:
“Cloud computing is a model for
enabling convenient, on-
demand network access to a
shared pool of configurable
computing resources (e.g.
networks, servers, storage,
applications, and services) that
can be rapidly provisioned and
released with minimal
management effort or cloud
provider interaction”
4. 1. Exploring the real definition of Cloud
The most sensible Definition of Cloud:
“Forget your technical definition of the Cloud, ask
your mom what the Cloud is….
…And what your mother will tell you about the Cloud
is that it means it’s not on my computer.”
Dave Asprey – Global VP, Cloud Security, Trend Micro
‘Navigating through the Cloud ‘ - Podcast Episode 23 rd May 2012
5. 1. Exploring the real definition of Cloud
The 3 key ‘classic’ Ingredients of Cloud
• You’re counting on SaaS vendor in order
to provide all the multi-tenancy for your
data.
• You hope they’ve written their applications
well, secure their databases, and so on ….
• You’re sharing the database with everyone
else.
Adoption
Greatest
6. 2. Scope of this presentation
lo ud
ci fic C
R spe re?
Y OU e futu
a p to d in th
th is m w an
d oes oth no
H ow es , b
iv
in itiat
7. 2. Scope of this presentation
• Mission critical, non-commodity, enterprise systems
• Multi-year investment in a cloud solution
• Shifting existing enterprise capability to Cloud, (or
integrating)
• Mid to large enterprise
• High security, privacy and confidentiality needs
• High governance loads and compliance environments
• Low risk appetite / high failure penalty environments
9. 3. Systemic vs. Technical Risk
Inherent Risk Relationship with Cloud
Service Delivery and Deployment Models
http://www.coso.org
The Committee of
Sponsoring
Organizations of the
lo ud
fic C
Treadway
ci
spe re?
Commission (COSO)
R
OU e futu
is a joint initiative of
Y
p to d in th
five private sector
a
th is m w an organizations and is
oes oth no
dedicated to providing
d
H ow es , b thought leadership
iv
itiat
through the
in development of
frameworks and
guidance on
enterprise risk
management, internal
control and fraud
deterrence
10. 3. Systemic vs. Technical Risk
Systemic Risks
• Taking a systemic view of risk will give you a better perspective of
the actual risk, rather that what you think the risk might be
• Systemic risks are those with the greatest potential impact as they
affect the entire system (ie: Organisation, government, country,
world…)
• Case in Point: How is that the finance industry, which is one of
the more regulated, and invests heavily in risk identification,
mitigation and transference could be the cause of the current
global financial problems?
• Systemic risk for the enterprise is the silent killer and is often the
hardest to identify as only a few have a complete, transparent and
objective overview of the overall enterprise in sufficient detail.
• Mitigation through approaches such as Enterprise Risk Management
(ERM), origins in fraud, organisational governance, insurance, etc
11. 3. Systemic vs. Technical Risk
Technical (or functional) Risk
• Identifying, categorising and ranking technical and functional risks
is core to conventional IT risk assessment approaches:
o Risk of a specific event = (Impact x Probability of that event
occurring) + Risk Adjustment
• Underpins conventional risk certification frameworks e.g. ISO
2700X
• Certification does not necessarily equal security or effectiveness
of a risk management model
• Often focusing on the diverse range of technical risks, does not
account for the interaction between risks.
• Systemic risks are often more significant than the sum of the
individual, technical risks
• Technical risks are the predominant focus for traditional IT shops
12. 4. Hybrid Cloud is the reality
The 4 flavours of cloud computing – basic attributes
Public Private/ Hybrid Community
Internal
• No control • You control all • Combination of 2 • Multiple
• No ownership • You may own or more models organisations
• You own data • You define • Can be more share same private
• Apps stay behind architecture complex cloud infrastructure
• You determine • Need to manage
your own security interfaces,
position integration
13. 4. Hybrid Cloud is the reality
Hybrid will be the dominant form in the enterprise
“Within five years, it will be primarily deployed by
enterprises working in a hybrid mode”. - Gartner
Gartner "Predicts 2012:
Cloud Computing Is Becoming a Reality”
(Published: 8 December 2011 ID:G00226103)
14. 4. Hybrid Cloud is the reality……
…. As is the potential for complexity….!
• Orchestrating versioning,
change control and rollback
• Life expectancy alignments
• Business Continuity
• Identity Management
• Due diligence
• Forensics /eDiscovery
• BYOD
• Mobility
• Legislative / Jurisdictional
c tion • Contractual complexity
s t ra s ?
o f ab risk ….. To name but a few
ayer emic
h er l syst
a n ot t he
d s t a re
A d ha
…w
15. 4. Hybrid Cloud is the reality……
Why understanding your Cloud Computing Reference
Architecture is important in coming to grips with systemic risk
16. 4. Hybrid Cloud is the reality……
Is the Cloud
Broker your IT
Department in
the Cloud?
17. 4. Hybrid Cloud is the reality……
"Cloud consumers should budget for additional integration
costs which can range from 10% to 30% — and sometimes as
high as 50% — of the total cost of cloud IT projects.“
Gartner Predicts 2012: Cloud Services Brokerage Will Bring New Benefits and
Planning Challenges - Published: 22 November 2011 G00227370
18. 4. Hybrid Cloud is the reality
Hybrid cloud can contribute to….
•Increased vulnerability due to its fragmented
architecture and larger surface …
•however if it is properly architected, risks largely
eliminated by implementing measures such as…
o Deploying effective policy based key management
processes
o Properly segmenting your public and private clouds
o Encrypting each part of the hybrid Cloud with
separate keys
o … amongst other measures
19. 5. Adding in Mobility
Mobile Devices
•Are powerful cloud access devices
•Extend the perimeter of your cloud
•Disperse the perimeter to your cloud
Have the potential to increase the vulnerability
•The compromising of one of these mobile
devices could be significant and compromise
your entire cloud.
•Use policy based key management regimes for
your data.
20. 6. BYOD or Bring Your Own Disaster?
BYOD stands for Bring
Your Own Device,
•Reflects the increasing
demands of users and
organisations of their own
IT departments to be
increasingly agile and
responsive to their needs
when it comes to iPads,
tablets and other mobile
devices.
21. 6. BYOD or Bring Your Own Disaster?
BYOD requires management:
•Deploy Mobile Device Management systems (Remote wipe,
policy enforcement)
•Introduce a non-porous Virtual Desktop environment - No data
can flow between the Cloud system and the mobile device itself
•Containerisation:
• Segregates corporate from personal data and applications
• Enforces encryption and prevention of data leakage
between containers
• Application / device specific therefore can be a challenge to
expand across the entire mobile environment for all
applications.
22. 7 . Hybrid Cloud + Mobility + BYOD Systemic Risk?
Is the Systemic risk increased by the combination of:
– Hybrid Cloud
– Mobility Yes’
er is ‘
– BYOD?
answ
he
at t
t th
ges
sug
ould
Iw
23. 8. Standards? Which standards?
Plethora of forums, industry groups and associations
– Cloud Security Alliance
– Cloud Standards Customer Council
– Distributed Management Task Force (DMTF)
– Cloud Management Working Group (CMWG)
– The European Telecommunications Standards Institute (ETSI)
– National Institute of Standards and Technology (NIST)
– Open Grid Forum (OGF)
– Object Management Group (OMG)
– Open Cloud Consortium (OCC)
– Organization for the Advancement of Structured Information Standards (OASIS)
– Storage Networking Industry Association (SNIA)
– The Open Group
– Association for Retail Technology Standards (ARTS)
– TM Forum’s Cloud Services Initiative
Source: cloud-standards.org
24. 8. Standards? Which standards?
• Compliance standards were originally designed for on-premise IT
systems and infrastructure that were relatively static
• Auditing institutions are averse to cutting edge technologies
• Is your organisation (or parts thereof) standards/compliance driven?
– Compliance to Standards vs. Unimpeded Innovation based on
principle of caveat emptor?
• Regulators not providing much specific and concrete guidance on
Cloud, however many guidelines exist
26. 9. Orchestrating the Transition
#1: Adopt an integrated approach to enterprise Cloud
• Standardised, traditional methodologies within specific
disciplines such as IT security, project management, audit, and
information security, in and of themselves, can be self limiting.
• Each discipline and/or technology is only really effective when
applied actively coordinated with the other key moving parts of
the organisation
Harmonization of functionally specific methodologies and
technologies unleashes value and eliminates waste
Cloud solutions may or may not help!
27. 9. Orchestrating the Transition
#2: Manage the conflicting messages
• 24% of CEOs surveyed in the 2012 PWC CEO Survey expect ‘major
change’.
• The eighth annual KPMG 2012 Audit Institute Report identified “IT
Risk and Emerging Technologies” as the second-highest concern for
audit committees, which is unprecedented in the history of the report.
• Cloud evangelists see cloud as imperative, others not
• Rigorously test generic, enterprise Cloud policy statements in the
context of your business unit, agency or department. Map and
quantify the gaps
Develop an effective mechanism for interpreting these messages in
the context of your organisation
28. 9. Orchestrating the Transition
#3: Actively identify, embrace and managing shadow IT
“Shadow IT can create risks of data loss, corruption or misuse, and
risks of inefficient and disconnected processes and information”
– Gartner*
Embrace shadow IT, and define what and what is not eligible to
be considered enterprise IT
Develop, socialize and police appropriate policies on the
selection of Cloud based services, no matter how innocuous for
your key information assets.
Elevates systemic risk due to opacity
*CIO New Year's Resolutions, 2012 ID:G00227785)
29. 9. Orchestrating the Transition
#4: Identify systemic risks across the organisation
• Systemic risks can jeopardise all or parts of the organisation
Ensure your executives and key decision makers are aware of
long term, systemic risks
Federate enterprise IT decisions vs. Managing the systemic risk
Understand the systemic risks inherent in long lead time IT
projects where Cloud plays a critical part
Consider implementing key aspects of Enterprise Risk
Management (ERM) as they relate to your IT projects and
initiatives
30. 9. Orchestrating the Transition
#5: Don’t gloss over complexity
• Senior LOB managers with agency and/or functional responsibility
over specific vertical silos of the organisation may underestimate
the overall complexity of their own organisations as a whole.
• From a functional perspective, specific methodologies and
technologies exist to support specific activities, however
integration can be the Achilles heel for single instance Cloud
applications.
• Cost your medium / long term Cloud strategy with rigour.
Don’t believe that simple IT solutions can paper over underlying
business complexity. Test assumptions if critical.