New Paradigm of Automation, Mike Chung, KPMG Security

New Paradigm of Automation

January 2011, Rotterdam

drs. Mike Chung RE

Risk & Compliance

ADVISORY

© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.

2

Introduction


3

Hypothesis

Paradigm shift in automation is in progress

Hybrid environment is the ‘future’ mode of operation

Orchestration of this hybrid environment will be a critical success factor


4

Why this presentation?

We, auditors, see organizations taking irresponsible risks in anincreasingly complex technology and business environment

We strongly feel auditors are to provide clear and structured insight into risks and mitigations

We believe in sharing this knowledge to benefit the community


5

Objectives

Understanding the context of the new paradigm

Addressing the considerations

Defining steps forward


6

Assumptions & limitations

Assumptions Participants have advanced (technical) knowledge of IT Locally-installed and managed IT as ‘traditional’, on-premise IT

Limitations Not an exhaustive overview One-way communication


7

Understanding the context


8

Current business challenges

Cost savings Cost savings often necessary in order to maintain profit margins In practice, difficult to enforce and cutting expenses is never a popular

measure

Time-to-market Volatile consumer and employee demands Short lifetime of products and services Delay results in significant loss of opportunity and smaller market


9

Old paradigm

Increasing expenditure IT spending at up to 5% of revenue for Fortune500 enterprises and over

5% of government’s budgets in most OECD countries 80% of these costs spent on maintenance of the existing IT IT budgets show an upward trend

Rigid and static Bound to existing, local IT resources Deployment of new services bear high risks, involves more time and

effort Never designed to facilitate mobile use


10

Trend: centralization and commoditization

Centralization of IT assets Economies of scale result in cost savings Centralized delivery of services facilitate volatile demand more

effectively

Commoditization Standardized use of IT services lead to lower costs Usage of turnkey solutions are easier to deploy


11

Various solution models (1/2)

Portfolio management Management of IT purchases Controlled use of existing IT assets ‘Vendor/solution-X-unless’ policies

Shared Service Centers Centralization of scattered IT units and resources Allocation of expertise and IT assets

Hosting Use of provider’s IT resources to host specific services (e.g. web sites) Use of provider’s IT resources as additional IT capacity


12

Various solution models (2/2)

Outsourcing & offshoring Shift of IT services to providers Transfer of IT units and resources to providers

Cloud computing Use of standardized, shared services from providers (varying degrees

of multi-tenancy) IT service as a commodity

Supporting technologies/infrastructure Virtualization Web services and ‘Service Oriented Architecture’ Broadband internet Mobile networks


13

“I realised that what I was standing in was a prototype of a new kind of power plant – a computing power plant that would come to power our information age the way great electric plants powered the industrial age.” Nicolas Carr, the Big Switch

Outsourcing of IT resources and managementLow

High

Res

ourc

e sh

arin

g

Locally installed IT

SSC

Hosting

Outsourcing &Offshoring

Cloud computing

High

Source: KPMG


14

Old to new paradigm

Traditional IT

Provider’s proprietary technology

and processes

IT management

Data

Outsourcing


and processes

Data

Cloud computing


and processes

Data

Man

aged

Purc

hase

d

IT assets/resources IT assets/resources

IT management

IT assets/resources

IT management


15

Cloud computing


16

Cloud computing: definition(s)

Too many definitions of cloud computing “Cloud computing is storing your data on someone else’s hard

disk and accessing it via a network” Hosted services from the (inter)net, metaphorically depicted as

a cloud Utilization of Web 2.0 ‘ASP 2.0’ Characteristics:

Multi-tenancy (resource sharing) Separation of use and ownership of IT assets Subscription based Elastic (upscale and downsize) External data storage Use of the internet


17

On-premise vs cloud computing

‘On-premise’ Cloud computing

Customer

Hardware, software + data

Users

IT services

Vendor

Licences and support costs

Customer

Hardware, software + data

Users

IT services

Vendor

Subscription; pay-as-you-go

Internet


18

Cloud computing: types and layers

Types of cloud computing Public cloud External private cloud Internal private cloud

Layers Software-as-a-Service (Salesforce.com, Gmail, Office 365) Platform-as-a-Service (Google AppEngine, Force.com, Azure) Infrastructure-as-a-Service (Amazon EC2, Terremark Cloud)


19

Cloud computing: history

First computer: UNIVAC in 1940 Thomas Watson: “the world needs only five computers..” Hardware revolution 1960 - 1970 Mainframe era 1970 - 1990 Rise of the client computer 1980 - 1990 Rise of the client-server architecture 1990 - 1995 Rise of the network computer 1995 - 2000 Moore’s law Grove’s law By 2005:

Sufficient bandwidth Matured virtualization technology Matured web services technology Salesforce.com


20

Cloud computing down-to-earth

Cloud computing is marginal Current share of external types of cloud computing in IT is less than 5% US are the leading outlet of cloud services (60%), the rest of the world

can be considered as periphery Internet platforms for collaborative/social purposes are yet to be

adopted by business communities

Cloud computing is considerable The market of cloud computing is expected to grow between 20 and

40% per year (2010 – 2015) According to a recent survey by KPMG, more than 40% of corporations

are already using some form of cloud computing Cloud computing is part of the paradigm shift in automation from

locally installed/managed IT towards centralized delivery and shared use of services

Sources: KPMG, OECD, IDC, Burton Group


21

Incidents and threats in practice

Incidents Hackers stole credentials of Salesforce.com’s customers via phishing

attacks (2007) Thousands of customers lost their data in the cloud due to the ‘Sidekick

disaster’ of Microsoft/T-Mobile (2009) Botnet incident at Amazon EC2 infected customer’s computers and

compromised their privacy (2009) Thousands of hotmail accounts were hacked due to technical flaws in

Microsoft’s software (2010)

Threats Botnets are increasingly threatening access to internet services SPAM, excessive traffic of multimedia sites and P2P networks are

clogging the internet’s arteries – internet traffic is growing by 40% per year

Sources: KPMG, Cisco


22

Considerations


23

New paradigm of automation: hybrid environment

Given the position of cloud computing and ongoing wave of sourcing, the future mode will be a hybrid environment

At large organizations, this hybrid environment will consist of on-premise IT, outsourced parts, parts on hosting providers, and parts in the cloud


24

New paradigm: hybrid environment

Source: KPMG


25

Characteristics impacting risk profile

Location of data storage and IT assets Traditional IT: on-premise; within the internal security domain of

customer Cloud computing: off-premise; outside the internal security domain of

customer; hosted/located at cloud service provider or distributed/scattered over a multitude of (third party) providers

Usage of (IT) resources Traditional IT: exclusive for the customer Cloud computing: varying degrees of multi-tenancy

Principal infrastructure Traditional IT: LAN, leased lines Cloud computing: public internet


26

Risk dimensions

Technology Compliance&

Legal

Data

Operations

Provider Finance

Risks

Source: KPMG


27

Risk dimension: data

External IT operations Inadequate and/or insufficient data security measures at provider’s

location(s) compromising data integrity and confidentiality Issues with retracting data after termination of service

Multi-tenancy Inadequate data segregation and process isolation leading to data

contamination and/or breach of confidentiality Inadequate Identity & Access controls causing illegitimate access to

sensitive data such as intellectual property

Public internet Unencrypted data getting lost of stolen in transfer Clogged parts of the network causing unavailability of data


28

Risk dimension: operations

External IT operations Discontinuation of business critical services due to failing disaster

recovery at cloud service provider Unclearly defined SLAs leading to unsatisfactory services

Multi-tenancy Restricted/limited services due to insufficient allocation of resources

and/or capacity Standardized functionalities not meeting business requirements

Public internet Dependency on internet access and availability for all cloud services Uncontrolled access from unsecured/malware-infected client devices

affecting services


29

Risk dimension: compliance & legal

External IT operations Compliance issues due to lack of assurance concerning the physical

location of data Location of data in different jurisdictions conflicting with local

legislations applicable to the customer

Multi-tenancy Complexity to ensure compliance due to ‘black box’ nature of shared

resources (monitoring & logging) Compliance issues due to complex or unclearly defined ecosystem of

third-party cloud services

Public internet Public internet is exceptionally hard to audit and to monitor Accountability and responsibilities on internet traffic are difficult to

assign and even more difficult to enforce


30

Risk dimension: technology

External IT operations Integration issues due to cross-vendor incompatibility Divergent technical controls between internal and external IT resources

causing inconsistent security levels

Multi-tenancy Standardized security controls not meeting the customer’s on-premise

technical standards Standardized functionalities not meeting the technical change control

capabilities of the customer

Public internet Measures to secure internet traffic of valuable data leading to deviating

company security standards Lack of possibilities to influence technology on the internet


31

Risk dimension: finance

External IT operations Underestimated cost of migration Inaccurate estimation of cost for pay-as-you-go/subscriptions of cloud

services versus on-premise cost Underestimated cost of legal and risk management support Capital destruction due to unused on-premise IT assets and unused

potential of human resources Additional cost in retrenchment of IT staff

Public internet Additional cost for leased lines and/or more bandwidth Additional cost for measures to secure internet traffic


32

Risk dimension: vendor

External IT operations Vendor lock-in due to usage of proprietary standards Discontinuation of business critical services in case of bankruptcy of the

cloud service provider Cloud computing may be part of a ‘tech bubble’ – massive investments

in an uncertain business model (one big incident at Google or Microsoft can push back months of progress)

Multi-tenancy Undesirable change of services or service levels in case of strategy

alterations or take-over of the provider

Less customization due to shift of focus of the provider


33

Addressing the challenges


34


Source: KPMG


35

Orchestration

Orchestration of automation will be the critical success factor Management of multiple providers Integration of different technologies Risk control over various dimensions

IT complexity will gradually reduce, but compliance challenges and legal complexity will increase Continuous monitoring of compliance Legal support as integral part of service management

The key risk resides in the organization’s inability to orchestrate the new paradigm of automation Dependency on static IT units Proliferation of services


36

Control & trust

Traditional IT


and processes

IT management

Data

Outsourcing


and processes

Data

Cloud computing


and processes

Data

Span

of c

ontr

olTr

ust


IT management

IT assets/resources

IT management


37

Scope of audit/assurance and area of difficulty

Traditional IT


and processes

IT management

Data

Outsourcing


and processes

Data

Cloud computing


and processes

Data

Scop

e of

aud

itTr

ust


IT management

IT assets/resources

IT management


38

Current audit standards

Localized IT as starting point (ITIL)

Strong focus on ‘traditional’, on-premise IT (ISO27001/2, PCI DSS)

Static (Cobit)

Strong focus on processes (SOx)


39

New audit ‘standards’

Abundance of ‘standards’ ENISA, Cloud Computing Benefits, risks and recommendations for information

security ENISA, Cloud Computing Information Assurance Framework Cloud Security Alliance (CSA), Top Threats to Cloud Computing V1.0 ISACA, Cloud Computing: Business Benefits With Security, Governance and

Assurance Perspective ISF, Security Implications of Cloud Computing OWASP, Application Security Verification Standard 2009 – Web Application Standard,

2009 KPMG, Beveiligingraamwerk SaaS

Limited scope, mainly focused on security

Scarcely used, barely accepted by the market


40

Compliance

Responsibility and risks are with the customer, not the cloud service provider

Legislations versus the current state of (technical) affairs

Compliance with different legislations from different countries (SOx, HIPAA, PCI DSS, WBP..)

SAS70/ISAE 3402/3000 as a way out?


41

SAS70/ISAE 3402/3000: objections

Limited to processes relevant to financial statements

Free to choose the controls

Dependent on the expertise and view point of the auditor

Many variations on audit approach, set-out and level of (technical) detail

Wide intervals between audits


42

SAS70/ISAE 3402/3000 in practice

Same standards used as for on-premise IT environments

Hardly any attention on multi-tenancy, service integration and external data storage

Superficially reviewed by (potential) customers and auditors

Lacunas rarely raised


43

Conclusion


44


Source: KPMG


45

Our role

Understand

Participate

Keep your eyes open and keep your head cool


46

Conclusion

Paradigm shift in automation is in progress from locally-installed and maintained IT (on-premise IT) towards the centralization and commoditization of IT services

Hybrid environment consisting of different service models is the‘future’ mode of operation

Orchestration of this hybrid environment will be a critical success factor


47

Literature

Above the Clouds: A Berkeley View of Cloud Computing, University of California at Berkeley, 2009

Top Threats to Cloud Computing V1.0, Cloud Security Alliance (CSA), 2010 Cloud Computing Benefits, risks and recommendations for information security,

ENISA, 2009 Cloud Computing Information Assurance Framework, ENISA 2009 Cloud Computing: Business Benefits With Security, Governance and Assurance

Perspective, ISACA, 2009 Security Implications of Cloud Computing, ISF, 2009 From Hype to Future, 2010 Cloud Computing Survey, KPMG, 2010 Clouds in the Forecast - Canadian perspectives on the promise of cloud computing

services for businesses, KPMG, 2010 Executive Considerations When Building and Managing a Successful Cloud Service,

KPMG, 2009 Application Security Verification Standard 2009 – Web Application Standard, OWASP,

2009 Mike Chung & Walter van Holst, Vendor lock-in in de cloud, Automatisering Gids,

augustus 2010 Mike Chung, Audit in the Cloud, KPMG Nederland, 2010 Mike Chung, Data Lifecycle in the Cloud, KPMG, 2010 Mike Chung, Informatiebeveiliging versus SaaS, EDP-Auditor nummer 2, 2009 Abhijit Dubey & Dilip Wagle, Delivering Software as a Service, McKinsey Quarterly,

mei 2007


48

Contact

Drs. Mike Chung REManagerKPMG Advisory N.V.E-mail: [email protected]: +31 (0)6 1455 9916


49

About the painter & painting

J.H. Weissenbruch was a famous 19th century Dutch painter famed for his depiction of clouds

His style of painting with various tones of grey and brown is typical for the so-called Hague School (Haagse School)

Ever-changing ‘skyscape’ of clouds and sunlight above the Low Lands and the North Sea was a source of inspiration for the painters of the Hague School

This painting is called Landschap met een boerderij bij een plas(Landscape with a farmhouse at a pond)

New Paradigm of Automation, Mike Chung, KPMG Security

Technology

Transcript of New Paradigm of Automation, Mike Chung, KPMG Security